CRAT is a powerful RAT (Remote Access Trojan) that has been linked to the activities of an Advanced Persistent Threat called the Lazarus Group. Two different versions of the threat have been observed as part of attack campaigns, and they clearly show that CRAT is being developed and evolving actively. The latest variant has adopted a more modular approach with various RAT capabilities moved to separate corrupted modules instead of all being lumped into a single payload. Furthermore, CRAT's range of backdoor functionalities has been expanded through the addition of selectable malware plugins responsible for taking screenshots, keylogging and clipboard monitoring. More importantly, CRAT can deploy a ransomware module that delivers the Hansom threat on the compromised computer. The hackers can use the ransomware as a way to extort the victim for funds after having already exfiltrated all of the data they desired or to disrupt the endpoint system heavily.
Multiple Obfuscation Techniques Hamper CRAT's Detection
The most important aspect of any RAT threat is its ability to infiltrate the targeted systems, and CRAT has several anti-detection and anti-analysis countermeasures put in place. First, the hackers have moved away from the common practice of using a packer that can be detected by techniques such as entropy analysis, Import API analyses, etc., and, instead, have adopted selective obfuscation of the malware's code. In particular, CRAT obfuscates its strings by using a four-byte XOR key followed by base64 encoding. It also employs dynamic API resolution and runtime code patching. The names of the RAT's DLLs are designed to mimic those of an innocent application's library.
CRAT also carries out a series of checks designed to verify that the threat is being executed on the desired endpoint and not in an analysis environment. It compares MAC addresses, process, network adapter, and analysis tools names against a hardcoded blocklist, and upon discovering a match, it terminates its execution. CRAT conducts a check for any debugging attempts, including through CheckRemoteDebuggerPresent.
Baseline RAT Capabilities Augmented with Modular Plugins
Upon successful infiltration, CRAT can initiate an impressive array of backdoor capabilities that have only been expanded in the newer version. Before the RAT starts to act, though, it waits to receive the appropriate command from the Command-and-Control (C2, C&C) infrastructure in the form of JSON communication over HTTP. The adoption of a modular architecture allows the hackers to further customize their activities in accordance with their threatening goals by downloading only select malware plugins and injecting them into specific processes running on the compromised endpoint.
CRAT can harvest various system information such as MAC address, installed firewall and anti-virus products, domain names, check for administrative privileges, collect size information for all files and folders with the exception of %windir% and the Recycle bin, read, write and exfiltrate file contents. The attackers can execute remote commands and set up a reverse command shell. CRAT breaches user credentials such as usernames and passwords stored in Google Chrome. The threat comes with a customized File Explorer sub-module.
However, the biggest change compared to the older versions is CRAT's ability to download and install corrupted plugins according to the instructions received by the C2. The most peculiar one is the ransomware plugin carrying the Hansom threat. Usually, ransomware encrypts the files on the infected system with an uncrackable algorithm, but Hansom has a different approach. When initiated, it proceeds to lock each file into individual archives that are then each assigned a different randomly generated password. The passwords are encrypted with an embedded public key subsequently. Hansom can affect a total of 110 different file types. Before starting the encryption process, it goes through several procedures designed to disable Windows Defender notifications, the Windows Defender process 'MsMpEng.exe' specifically, disable task manager, and initiate a persistence mechanism through the registry and regsvr32.