Ratsnif

Ratsnif is a group of Trojans developed since 2016 to give attackers access to devices and networks. The latest Ratsnif Trojans use a number of network attack techniques such as ARP poisoning, DNS poisoning, packet sniffing, HTTP inject and MAC address spoofing. Ratsnif Trojans are called Remote Access Tools (RATs) and collect information about a system or network that can be used to compromise and attack it.

Some Details about Ratsnif Trojans

Ratsnif "RATs" are developed and used by a group called "OceanLotus APT Group," "APT32, "CobaltKitty" or "SeaLotus." Four samples of the Ratsnif Trojan have been discovered so far. Three of these were developed and deployed in 2016 and one in 2018. All the Trojans developed in 2016 function similarly, and there are no major differences in how they attack devices and networks. The last of the 2016 builds (September 13th) is the first known Ratsnif to be used to attack real networks. It came with a number of sophisticated features:

• Packet Sniffing
• ARP Poisoning
• HTTP Redirection
• C2
• Remote Shell
• DNS Spoofing

The 2018 sample came with a host of new attack functionality described above and uses WolfSSL and http_parser.c to enable parsing and decryption of network traffic.

How Ratsnif Works

Ratsnif, like all malware, requires a file or script to be executed. Once running, Ratsnif uses Winsock to gather and send information about a system including:

• Username
• Workstation Information
• Network Computer Name
• Windows System Directory
• Network Adapter information etc.

The gathered information is sent to the attacker using C2. Two addresses for the C2 server have been found, but only one seems to have been active at the time Ratsnif was detected and analyzed. Ratsnif also starts sending logging information to the C2 server and then listens for commands from the C2 server.

• 2018 Sample:

Slightly different from the latest 2016 variant, this sample used a configuration file and did away with the need for a C2 server. It also came with HTTP Injection, Protocol Parsing and SSL Hijacking.
The infected file is Base64 encoded and surrounded by an OceanLotus shell. It uses an unnecessarily complex method to tell Ratsnif where to find the configuration file, which is a simple text file that can be decoded easily and contains a number of variables that tell Ratsnif what information to gather and where to send it.



• Technical Information:

Sample 1 (August 2016):
MD5: 516ad28f8fa161f086be7ca122351edf
SHA256: b4e3b2a1f1e343d14af8d812d4a29440940b99aaf145b5699dfe277b5bfb8405
Filename(s): javaw.exe, Client.exe
Path: X:\Project\BotFrame\Debug\Client.exe
Size: 1.32 MB (1,387,520 bytes)
File Type: PE32 executable for MS Windows (console) Intel 80386 32-bit
Alias: OceanLotus APT32 Ratsnif
Compile Time: 2016-08-05 07:57:13

• Sample 2 (August 2016):

MD5: b2f8c9ce955d4155d466fbbb7836e08b
SHA256: b214c7a127cb669a523791806353da5c5c04832f123a0a6df118642eee1632a3
Filename: javaw.exe, Client.exe
Path: X:\Project\BotFrame\Debug\Client.exe
Size: 1.32 MB (1,387,520 bytes)
File type: PE32 executable for MS Windows (console) Intel 80386 32-bit
Alias: OceanLotus APT32 Ratsnif
Compile Time: 2016-08-06 04:30:06

• Sample 3 (September 2016):

MD5: 7f0ac1b4e169edc62856731953dad126
SHA256: b20327c03703ebad191c0ba025a3f26494ff12c5908749e33e71589ae1e1f6b3
Filename: javaw.exe, adobe.exe
Path: N/A
Size: 432 KB (442,880 bytes)
File Type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Alias: OceanLotus APT32 Ratsnif
Compile Time: 2016-09-13 09:26:42

• Sample 4 (August 2018):

MD5: 88eae0d31a6c38cfb615dd75918b47b1
SHA256: 7fd526e1a190c10c060bac21de17d2c90eb2985633c9ab74020a2b78acd8a4c8
Filename: N/A
Path: N/A
Size: 745 KB (762,880 bytes)
File Type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Alias: OceanLotus APT32 Ratsnif
Compile Time: Wed, 08 Aug 2018 02:52:52 UTC