VTA-004455 – New Malware Campaign Targets Inexperienced Hackers with RAT Malware

Threat actors exploit individuals with limited hacking skills, known as “script kiddies” or “amateur hackers,” to carry out malicious actions without fully understanding the impact. They leverage tools like OpenBullet, originally designed for legitimate web application testing and security tasks. While OpenBullet is used by security professionals to identify vulnerabilities, malicious actors misuse it to create harmful scripts for activities like account takeovers. Raising awareness, emphasizing proper tool usage, implementing security measures, providing reporting channels, and highlighting legal repercussions are important steps to counter these threats and maintain ethical hacking practices. OpenBullet is a freely available tool used for testing security, capable of performing both basic repetitive actions and intricate attacks through configuration files. These files are created by skilled hackers and exchanged, shared, or even vended to cybercriminals. These configurations can range from concise lines of code to extensive ones, with complex coding often proving challenging for novice hackers to interpret and grasp. A configuration file of this nature was discovered within a Telegram channel, displaying signs of being crafted with malicious intent for the purposes of credential stuffing and account takeover attacks. Upon delving deeper into the configuration file, it became apparent that the code was specifically formulated to circumvent Google’s reCAPTCHA system. Notably, the file contained various functions and also incorporated a COOKIE variable. Closer examination unveiled that the configuration file’s capabilities surpassed mere CAPTCHA circumvention, encompassing additional functionalities. The configuration file contained a function that combined the COOKIE variable, resulting in the creation of a Pastebin URL. This URL redirected to a GitHub URL hosting a repository named “GetChromeUpdates.” Within this repository, OpenBullet fetched a binary stored in a file named “chromedriver.exe.” The purpose of this “chromedriver.exe” file was to substitute the previously used SeleniumWebDriver within OpenBullet. Following this replacement, OpenBullet initiated a fresh session that initiated the download of two payloads from the Ocean and Patent GitHub repositories. The downloaded script named “Ocean” was retrieved through the described process. On the other hand, “Patent” is an executable created in Python and lacks obfuscation during its compilation. This executable was written in Python version 3.11. These scripts play a role in downloading malware from a repository known as “Telegram-RAT,” where the malware is coded using the Python programming language. The malware interacts with a command and control (C&C) server by utilizing the telebot framework for communication purposes.

Severity:
Medium

Attack Surfaces:
Endpoint, Endpoint OS, File Transfer, Messaging, Others, Remote Access Service, Web Application

Tactics:
Collection, Command and Control, Credential Access, Execution, Initial Access, Privilege Escalation, Reconnaissance

Mitre Engage Tactics:
Detect, Disrupt

Mitre Engage Techniques:
Baseline, Isolation, Security Controls, Software Manipulation

Techniques:
T1110 – Brute Force
T1102 – Web Service
T1053 – Scheduled Task/Job
T1560 – Archive Collected Data
T1496 – Resource Hijacking
T1134 – Access Token Manipulation
T1115 – Clipboard Data

Indicator or Compromise:
https://otx.alienvault.com/pulse/64d2c34d3bdac2743d254e24

References:
https://www.kasada.io/threat-intel-openbullet-malware/

SuperPRO’s Threat Countermeasures Procedures: 
1. Consider deploying an intrusion detection system (IDS) in conjunction with an intrusion prevention system (IPS) to enhance your network security and effectively mitigate potential threats.
2. Implement a web application firewall (WAF) as a proactive step to strengthen your web application security.
3. Enforce multi-factor authentication (MFA) to prevent unauthorized access to sensitive data and systems.
4. Regularly update your devices, operating systems, and applications to the latest versions.
5. Consistently back up your data and securely store it.
6. We recommend subscribing to PenTestBox, a comprehensive solution that offers continuous assessment and proactive management of security vulnerabilities.
7. We recommend subscribing to CODERED ASM to help you identify misconfigurations, software vulnerabilities, exposed credentials, shadow IT, and various other security weaknesses that threat actors can exploit.

Contributed by:  Varrumen