Boredom fruits – Exposing RAT.

Lately a lot of people on a Latvian gaming community have started to sell Steam wallet money, most of which hasn’t been earned in legit ways. I was bored and looking for an adventure, so I decided to dig into a particular user activities, after someone else reported him.

The first thing I did was look if he has registered in the Gaming community before, nope, not even once. Castiel, the guy who reported him at the beginning pointed me to a video he most likely uploaded under an alias.

The video

So I decided that I will pursue this case only if I can link this video to the offender.

The connection

Well, well, well, what do we have here. He showed his skype username publicly on the gaming community website… And I was able to link it to the alias Google+ profile of the offender, by just googling. This guy isn’t smart, but hey this is just the beginning.

Okay, let’s start analysing the malware, starting with the simplest – bintest.

blog3

Nothing interesting here, looks like the file is encrypted.

Well, then I should run it. Though before doing it, I should take a few precautions.

I

  1. Ran it in a Virtual machine, so my main operating system files can not be messed with.
  2. Installed OpenVPN client on the Virtual machine and connected to it my own VPN, routing all connections through it.
  3. Launched tcpdump on the same machine as OpenVPN server so I can sniff all traffic coming from Virtual machine.

Okay, everything is set, now I just have to launch the infected file.

blog5

Nothing interesting happens on the screen, though looks like the Virtual machine is now infected. Let’s see what tcpdump is showing us.

blog4ed

Hmm, just after launching the infected file it tried to look up domain “diaenay.no-ip.biz”, definitely not a domain which a freshly installed Virtual Machine should look up.

At first I thought, hmm, looks like just random characters, but then I realised. I’ve seen it before.

blog6

Lets have a moment of silence for this retarded individual whilst facepalming ourselves…

Unfortunately, I can’t get hard enough evidence to report it to local authorities, because the domain name was seized by Microsoft at the beginning of July and now is resolving to a Microsoft owned IP address.

 

 

29.07.2014 Okay, time for an update

After a little bit social engineering by my friend, we were able to get a newer video out of him under another of his aliases.

And there it was, the awaited working RAT, which doesn’t resolve to a seized subdomain.

Reverted my Virtual machine to the just installed state and ran the infected file, whilst sniffing on traffic.

nblog_1

Okay, let’s see what the tcpdump output is showing us

nblog_2

Looks like it is trying to resolve a new domain name, definitely not a domain name which a new Windows installation should resolve.

And the domain name currently resolves to a Baltcom owned home user IP address.

After looking up the domain name the virtual machine started to contact the RAT.

nblog_4

Let’s see if I can find out who it in the gaming community.

nblog_5

Yeah, as I expected. But to top it all off, he is authenticating using a Latvian Facebook equivalent – draugiem.lv. Looks like I can connect the username to his user and find out his real name.

nblog_6

Okay, got the id, let’s just follow the link now. http://www.draugiem.lv/user/4590799

nblog_7

Voila, the perpetrator has been found. Mārtiņš Ozols.

Thanks for reading my first blog post ever, feel free to leave a comment.

Article published on //wordpress.tirlins.com and http://exs.lv, republication strictly forbidden.

Leave a Reply

Your email address will not be published. Required fields are marked *