Klingon RAT

Klingon RAT Description

The trend of malware authors turning to the open-source programming language Golang for their creations appears to only be getting stronger. As a result, the number of malware written in Golang has never been higher. The rise in the level of sophistication displayed by the threats has also been significant. One such threatening remote access Trojan was detected by infosec researchers recently, who named the threat Klingon RAT. 

The Klingon RAT first caught the attention of the researchers due to its most unique code. This is a rather uncommon occurrence in the cyberthreat space - malware creators often reuse large chunks of code to reduce the time needed to complete a new, threatening tool. The Klingon RAT possesses the usual characteristics expected of a RAT threat. However, on top of them, it has been equipped with vastly expanded measures against security products, persistence mechanisms and methods for privilege escalation. 

Initial Activity

One of the first actions, taken by the Klingon RAT on a compromised system is to attempt to kill over 500 different processes associated with anti-malware security products. The threat checks the active processes on the system and compares them against a list of targeted processes. Any matching process will then be terminated via the task kill command.

HKEY_LOCAL_MACHINE
Software\Microsoft\Windows NT\CurrentVersion\Accessibility

HKEY_CURRENT_USER
Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\magnify.exe

To ensure its continued presence on the breached machines, the Klingon RAT initiates several different persistence schemes. The threat creates two Registry run keys - one under Current User and one at Local Machine. The Klingon RAT also can hijack the binary for the Microsoft Screen Magnifier - magnify.exe, and force it to execute the malware itself. This is achieved via the Image File Execution Options that allow any executable to be flagged and used as a 'debugger' tool. To this technique to work, the malware makes sure that the following two Registry keys exist on the system:

The Klingon RAT also employs 'WMIC' to generate an event subscription that acts as a persistence mechanism that will start the corrupted payload within 60 seconds after every Windows boot. Another technique allows the malware to modify the 'WinLogon' key and force it to run the RAT during Windows startup. 

Finally, the Klingon RAT generates a scheduled task under the name 'OneDriveUpdate' that also can maintain its persistence on the system. For the task to be configured, the threat first drops an XML file called 'elevtor.xml' in APPDATA.

Escalating Its Privileges

Apart from its extensive persistence techniques, the Klingon RAT also is equipped with equally as extensive ways to escalate its privileges on the breached system. The threat will first determine if it doesn't already have admin rights by performing two checks. The Klingon RAT will try to open '\\\\.\\PHYSICALDRIVE0;' and, if it fails to do so, it will then attempt to open '\\\\.\\SCSI0.' If neither check is successful, the threat will engage its privilege escalation routines. 

The Klingon RAT will exploit a specific Registry key and run a program called computerdefaults.exe to complete the process. Another exploit similar to the previous one involves the program 'Features on Demand Helper' (Fodhelper.exe). It is a binary that has its 'autoelevate' setting set to true. The scheduled task 'SilentCleanup' also could be exploited. The threat actors abuse the fact that it runs with the highest possible privileges while also maintaining the ability to be initiated by unprivileged users. Infosec researchers found yet another technique - the 'Event Viewer' UAC bypass,' in Klingor RAT's code. However, this functionality appears to be implemented in the current samples of the threat incorrectly. 

The Klingon RAT is just the latest Golang product to be unleashed by malware creators. It further reinforces the thread of cybercriminals switch to this programming language when it comes to their threatening toolkit. Individual users and organizations should start taking appropriate measures in their cybersecurity strategy to account for this new wave of threats.