Variants or Other Possible Names: njRAT, Iniduoh.
This RAT (Remote Access Trojan) has been around for a while, and was first posted by FireEye. It is a pretty nasty RAT, but is quite easy to find in log files. I will brush over the indicators on FireEye's website, as well as some other indicators not listed.
Remote Host Connections:
The author is fascinated with no-ip.info and zapto.org, so start your search with those domains. Below are several other domains used by the RAT:
- introworld.zapto.org
- j2w2d.no-ip.biz (31.186.179.230)
- qwqhack.no-ip.biz (37.239.116.223)
- paltalk.servequake.com
- terminator9.zapto.org
- basss.no-ip.info
- bg1337.zapto.org
- ronaldo-123.no-ip.biz
HTTP URI Indicators:
- /is-ready
HTTP Request Methods:
- POST
User-agent String Values:
This is an easy catch. The below value is used as a separator in the user-agent string field:
- <|>
Associated Snort Rule:
- alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Backdoor.Iniduoh variant outbound connection"; flow:to_server,established; content:"/is-ready"; fast_pattern:only; http_uri; content:"User|2D|Agent|3A 20|"; http_header; content:"|3C 7C 3E|"; within:3; distance:8; http_header; content:"|3C 7C 3E|"; within:18; http_header; content:"|3C 7C 3E|Microsoft Windows"; within:84; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/220b551d9381fb56b48511b622a0bbc15482378396b3e83f708379f460f3347a/analysis/; classtype:trojan-activity; sid:28817; rev:3;)
Regex:
Search in the user-agent string field.
- <\|>
Conclusion:
I was never able to find much information for this RAT and I hope it helps you out in your searches.
No comments:
Post a Comment
Please feel free to leave a comment that is relevant to the post.