A dubbed Parasite HTTP is a professionally coded modular remote administration tool for windows Which is written by malware authors using “C” programming language.
It uses a technique called an extensive array for sandbox detection, anti-debugging, anti-emulation, and other protections.
So Parasite HTTP provides numerous examples of state-of-the-art techniques used to avoid detection in sandboxes and via automated anti-malware systems.
This Remote access Trojan module capable of adding new add-ons which is available on the C&C server that can be downloaded at any time for post infection process.
The researcher believes that Parasite HTTP continues to propagate across other malware variants.
RAT Propagation using Parasite HTTP RAT
An initial stage of this RAT champaign observed from the Underground forum and it propagates using Email messages that posed to be resumes or CV submissions and it uses subjects that mimic advertised position and other related contents.
Email ID domain contains some individual recipients at a range of organizations that make to believe that, it comes from a particular organization.
Also distributed Emails with contained Microsoft Word attachments with names such as my_cv.doc, resume_.doc, cvnew.doc.
Also, the document contains macro and it force to enable it by users, once it enabled then it download Parasite HTTP from a remote site.
Attackers using this Parasite HTTP ad for evading detection and analysis that contains lots of following sophisticated futures.
- No dependencies (Coded in C)
- Small stub size (~49kb uncompressed, ~23kb compressed)
- Dynamic API calls (No IAT)
- Encrypted strings
- Bypass Ring3 hooks
- Secure C&C panel written in PHP
- Firewall bypass
- Supports both x86 and x64 Windows OS (from XP to 10)
- Full unicode support
- Online builder tied to your domain/s (Build bot bin anytime with any settings you wish)
- Encrypted communication with C&C panel (Optional – SSL using self signed certificate)
- Plugin system
- Multiple backup domains
- System wide persistence (x86 processes only) (Optional)
- Injection to whitelisted system process (Optional)
- Install & Melt (Optional)
- Hidden startup (Optional)
- Anti-Emulation (Optional)
- Extended statistics and informations in the panel
- Advanced task management system
- On Connect task (New clients will execute task/s)
- Low resource usage
- Special login page security code
- Captcha on login page to prevent brute force attacks
- Download & Execute (Supports both HTTP and HTTPS links)
Also, Parasite HTTP contain well framed obfusticated futures such as string obfuscation and evasion & anti-sandbox techniques.
According to Proofpoint, Parasite HTTP uses a sleep routine to delay execution and check for sandboxes or emulation.
Also, there are some important Plugins that Supported by Parasite HTTP RAT.
- User management
- Browser password recovery
- FTP password recovery
- IM password recovery
- Email password recovery
- Windows license keys recovery
- Hidden VNC
- Reverse Socks5 proxy
When Parasite HTTP actually does detect a sandbox, it attempts to hide this fact from any observers. It does not simply exit or throw an error, instead of making it difficult for researchers to determine why the malware did not run properly and crashed.
Cybercriminals and malware authors continuously innovate in their efforts to evade defenses and improve infection rates.