RAT Leveraging Discord as Command-and-Control Server
Cyble Research Labs discovered a new Remote Access Trojan (RAT) dubbed ApolloRAT. The RAT is written in Python and uses Discord as its Command and Control (C&C) Server. The TAs are selling this RAT for $15 on Telegram and their site, as shown in Figure 1.
In a video demonstration, a TA used Nuitka, a source-to-source compiler that compiles Python code to C source code. There are widely adopted compilers for Python, such as PyInstaller and Py2exe but Nuitka, a less frequently adopted compiler, has the edge over them in terms of the compiled file size created and complexity to reverse engineer, making ApolloRAT far more capable.
Compared to C/C++, Python is much easier to use and has a huge library collection making it an attractive choice for malware developers. In terms of performance, however, it might not have that edge, and as Python is an interpreted language, it needs to be installed before executing scripts. These issues are usually resolved by using Python compilers which can be used to create standalone executables.
Our observations indicate that ApolloRAT is at an initial stage of its development. Though we have not witnessed many samples present in the wild, based on the price and ease of use, we might suspect it to be used in multiple attack scenarios.
Figure 2 displays the Threat Actor‘s Telegram channel used for selling the RAT.
TA claimed that the RAT has following features:
VM detection Screenshot Shell access
Av disable Firewall disable Speak
Rickroll Redirect Fake PDF
Fake GUI Steal Chrome passwords Upload file
Download file Get IP Disable taskmgr
Shutdown Reboot Startup
Messagebox Bluescreen Selfdestruct
Functionality
The TA initially mentions the Discord bot token in the Python script for compiling the payload, which will further connect to the Discord server for its C&C communication, as shown below.
Then TA uses Nuitka to compile the file. The Nuitka command is executed with parameters such as –OneFile, –standalone, which will create a single executable file and can be executed on other machines without Python installation. These commands will increase the size of the executable and will also complicate the analysis process. This compiled file acts as a client in the victim’s machines and communicates with the C&C Discord server. Using legitimate applications like Discord for malicious activities further aids the malware in being evasive.
Using the C&C server, the TA can execute various commands on the victim’s system after compromising it. The “>detectVM” command can be used to check if the RAT is executing in a virtual environment, as shown in Figure 4.
Using the “>ip” command, TAs can identify their victim’s IP addresses.
Figure 6 shows the “>speak” command being used to display a message on the victim’s system.
The “>passwords” commands return a text file containing the plaintext passwords stolen from the victim’s browsers. Figure 7 shows the command used for stealing passwords.
Similarly, there are other commands which TAs can use for performing malicious activities.
The following commands can be executed by the RAT :
——- Basic commands ——-
- >commands = Opens the help menu
- >shutdown = Shutdown victim’s computer
- >reboot = Reboot victim’s computer
- >startup = Add RAT to startup
- >startcmd = Start command prompt can be used as a test
- >shell = Execute shell command e.g: >shell start chrome.exe
- >upload = Upload file to victim’s e.g: >upload filename.exe <WITH ATTACHMENT>
- >download = Download file from victim’s e.g: >download <pathtofile>
- >nofirewall = Turns off standard windows firewall, needs admin perms!
- >noAV = Turns off win defender, needs admin perms!
——- Prank ——-
- >message = Popup a message box on Victim’s PC
- >bluescreen = Bluscreens, need admin perms!
- >speak = Talks your desired text loudly to the Victim’s
- >rickroll = rickrolling victim
—— Details/Survelience ——
- >detectVM = Detect if victim’s is using a virtual enviroment
- >screenshot = Takes a screenshot
- >ip = Get victim’s IP address
- >details = Basic client details
—— Stealing ——
- >redirect = Any website redirect that can be used for phishing
- >passwords = Get user’s saved passwords
- >wifi = Get known wifi passwords
- >history = get browser history
—— Danger Zone ——
- >exit = exits session
- >SELFDESTRUCT = selfdestructs, deletes everything associeted
Conclusion
ApolloRAT is a new Remote Access Trojan with a broad array of capabilities and leverages a Discord webhook for its C&C communication. Python compilers such as Cython and Nuitka can aid malware to become evasive and might also complicate the reversing process, as the file size is increased drastically during the compilation. In the future, we might witness an increase in the number of ApolloRAT samples present in the wild, as the price of the stealer is relatively low and it has multiple functionalities.
Our Recommendations
- Avoid downloading pirated software from unverified sites.
- Use strong passwords and enforce multi-factor authentication wherever possible.
- Keep updating your passwords after certain intervals.
- Use a reputed anti-virus and internet security software package on your connected devices, including PC, laptop, and mobile.
- Refrain from opening untrusted links and email attachments without first verifying their authenticity.
- Block URLs that could be used to spread the malware, e.g., Torrent/Warez.
- Monitor the beacon on the network level to block data exfiltration by malware or TAs.
- Enable Data Loss Prevention (DLP) Solutions on employees’ systems.
Indicators of Compromise (IOCs)
| Indicators | Indicator type | Description |
| 1db4f566417ef2dec8218ee0b0fbf682 069eece6f2209672aef8600f15df4bd7ce216a67 e3b6e58f1427d380648f914d32cb69360d93de33c59e01d8f0fa448113e7679 |
MD5 SHA-1 SHA-256 |
Malicious Binary |
| f3e758da9d01cd0dfb433478e5eba178 a9751413af2ec02b01359c9722d782b5c3af31d3 0a508f7722b0df4c8291a7cf0469ca7917ea284bfa8a2e84a3550a85d0628320 |
MD5 SHA-1 SHA-256 |
Malicious Binary |
Related
Source: https://blog.cyble.com/2022/07/14/apollorat-evasive-malware-compiled-using-nuitka/