New Persian Remote World Selling A Suite Of Malicious Tools – Cyble

Key Takeaways

• Cyble Research and Intelligence Labs (CRIL) has recently identified a website called Persian Remote World engaged in the sale of a variety of malicious tools.
• Persian Remote World provides an extensive range of malicious tools, including Remote Access Trojans (RATs), loaders, and crypters.
• The site developers offer these malicious tools under different subscription models at varying prices.
• According to the website, the RAT can perform multiple privilege escalation and defense evasion operations.
• In addition to conventional RAT capabilities, Persian RAT also performs ransomware functionalities.
• The developer behind this project shared the free version of Persian Loader on their Telegram channel.

Overview

In our ongoing efforts to gather real-time threat intelligence, CRIL came across a new malware loader, Persian Loader, present in VirusTotal. This loader has a link to a Telegram channel that hosts a free Persian Loader builder. The channel also contains a link to the website Persian Remote World, which sells multiple software tools with malicious capabilities. This website sells a range of malicious tools, including Remote Access Trojans (RAT), loaders, and crypters. CRIL began searching for an active infection or campaign in the wild that uses Persian Remote World-related tools, but no such activities have been identified so far.

The website offers Persian RAT along with a panel to construct the RAT binary and manage infected systems. The RAT panel includes details such as PC Name, Server, IP Address, User, Windows OS version, Architecture, CPU, GPU, and country, as stated on the Persian Remote World website. The developers are selling these RATs under a subscription model ranging from a 1-month plan priced at $20 to a lifetime subscription available for $200, as shown below.

Persian Remote World is promoting a malicious loader named Persian Loader. This loader includes both a builder panel and a client management panel, showcasing an active list of victims and offering functionalities to execute files on compromised systems. This panel incorporates options to reconnect with victims, start or stop listening, execute files, and build the loader binary, all outlined in the accompanying figure. The developers are selling this tool for a monthly subscription fee of $20, as shown below.

Persian Security, a tool created by Persian Remote World, is a crypter that can encrypt and obfuscate executable files to prevent detection and analysis. This crypter is sold for 45$ per month to 650$ for a lifetime subscription, making it the most expensive tool of all. The figure below shows the website hosting the Persian Crypter.

The website also includes a link to a Telegram channel created on October 18th, signaling that the developers have only recently commenced the development of these tools. The Telegram channel hosts a free Persian Loder Builder and offers a paid version for 20$ per month. The figure below shows this Telegram channel.

Technical Details

Persian RAT

CRIL came across a Persian RAT malware sample on VirusTotal, which has sha256 hash: 43403eeb7b8ea5705c727a0fff8d714ea3e27449b6b9ba0edd12c666848e2492. Notably, the file size is 3.75 MB, which is relatively large compared to contemporary RAT binaries. Upon execution, Persian RAT establishes a mutex named “Persian” through the CreateMutexW() API. This mutex prevents the occurrence of multiple instances on a system and facilitates coordination during multithreading operations. The figure below shows the routine to create the mutex.

Following the establishment of the mutex, Persian RAT proceeds to activate the SeShutdownPrivilege and SeDebugPrivilege privileges through the AdjustTokenPrivileges() API. These privileges facilitate various malicious operations:

• SeShutdownPrivilege provides the capability to initiate system reboots
• SeDebugPrivilege empowers a process to examine and modify the memory of other processes

The figure below shows the routine to set privileges.

Persian RAT is manually controlled; it waits for the C&C instructions to perform any malicious activities. However, based on our static analysis, we can see numerous routines suggestive of the RAT possessing multiple highly malicious capabilities. These capabilities have been expounded upon in the following sections.

Firewall operation:

Persian RAT includes a function enabling Threat actor (TA) to manipulate victim system firewalls. This involves the use of netsh commands for firewall control, with the following operations:

• Enable firewall: netsh firewall set opmode enable
• Disable firewall: netsh firewall set opmode disable
• Turn on current profile state: netsh advfirewall set currentprofile state on
• Turn off current profile state: netsh advfirewall set currentprofile state off

Keylogger:

Persian RAT contains a routine designed to capture keystrokes from the victim and transmit them to the TA. The TA possesses the capability to send commands that enable or disable keylogging as required. The figure below shows the routine related to keylogging.

Cookie and Password Stealer:

Persian RAT has a routine for stealing cookies from the victim’s system, targeting the following browsers:

• Mozilla Firefox
• Google Chrome
• Microsoft Edge

Games and Software:

Persian RAT additionally focuses on different games and applications installed on the victim’s system. TAs can scan diverse games and programs, exfiltrating crucial files from their respective directories. The games and applications targeted by Persian RAT are:

• AppDataRoamingSpotify
• C:Program FilesiTunes
• C:Program FilesEpic Games
• C:Riot GamesLeague of Legends
• C:Program FilesEpic GamesFortnite
• C:Program Files (x86)Minecraft Launcher
• C:Program Files (x86)Overwatchretail
• C:Program Files (x86)SteamsteamappscommonCounter-Strike Global Offensive
• C:Riot GamesVALORANT
• C:Program Files (x86)Origin GamesApex
• C:Program FilesGenshin ImpactGenshin Impact Game
• AppDataLocalDiscord
• AppDataRoamingExodus
• AppDataRoamingatomic
• AppDataRoamingFileZilla
• AppDataRoamingVMware
• AppDataRoamingTelegram Desktop
• C:Program Files (x86)Steam
• C:Program Files (x86)Rockstar Games
• C:Program Files (x86)Ubisoft
• C:Program Files (x86)Origin
• C:Program Files (x86)Battle.net

Commands:

The RAT incorporates a range of embedded commands pertaining to User Account Control (UAC), firewall manipulation, ransomware operations and screen capture functionality, and interactions with banking websites. Following are the commands embedded in the RAT.

• DISABLEUAC
• DISABLEFIREWALL
• STARTBOMB
• STARTRANSOMWARE
• STARTSCREENWATCHING
• STOPSCREENWATCHING
• ACTIVATEBANKING
• DISABLEBANKING

Targeting Banking and Financial organizations:

We also came across some interesting hard-coded strings in the binary, suggesting that the RAT targets several financial institutions, as shown below.

Persian Loader

Persian Loader allows the execution of other executable files on the victim system. The Persian loader binary employs TCP Sockets, facilitating the execution of second-stage payloads within infected systems. The Persian Loader builder and management tool, namely Persian X Loader 5.0, was hosted on their Telegram channel for free. The figure below shows the Persian X Loader 5.0 Builder panel.

Persian X Loader 5.0 can create a custom listener server, which can be bound to any designated port. This listener acts as a server for the malicious loaders created by the Persian X Loader 5.0 Builder. The figure below shows the Persian Loader management panel for listening ports.

The TA can build the malicious loader binary using Persian X Loader 5.0 by adding the listener server IP and port within the builder. When executed in the victim’s systems, the newly built executable will then connect to the listener server on the listener port. The figure below shows the builder for Persian Loader.

The Persian Loader has a panel to manage already deployed loaders running on victim systems. This panel has various options, which include reconnecting the specific victim, starting the listening server, stopping the listening server, executing the file in the already infected system, and building new loader binaries. The figure below shows the active panel for Persian loader to execute other malicious files on the compromised system.

Conclusion

The malicious tools that we have observed and analyzed available on Persian Remote World pose a significant threat to potential victims. Threat Actors can remotely execute commands, exfiltrate data, and manipulate system settings on infected systems. RATs are a risk to user privacy, financial security, and the integrity of critical data by enabling unauthorized control.

Threat Actors can perform identity theft, financial fraud, and unauthorized modifications to systems. The persistent nature of RATs makes them particularly dangerous, as they can operate undetected for extended periods, complicating mitigation efforts and further emphasizing the importance of robust cybersecurity measures.  

Our Recommendations 

• The initial infiltration for RATs and loaders typically takes place via phishing websites or emails. It is crucial to only download and install software applications from well-known and trusted sources and avoid opening emails from unknown senders.
• Users should confirm the legitimacy of websites by verifying the presence of a secure connection (https://) and ensuring the accurate spelling of domain names.
• Deploy strong antivirus and anti-malware solutions to detect and remove malicious executable files.
• Enhance the system security by creating strong, distinct passwords for each of the accounts and, whenever feasible, activate two-factor authentication.
• Regularly back up data to guarantee the ability to recover it in case of an infection and keep users informed about the most current phishing and social engineering methods employed by cybercriminals.

MITRE ATT&CK® Techniques 

Indicators of Compromise (IOCs) 

Related

Source: https://cyble.com/blog/new-persian-remote-world-selling-a-suite-of-malicious-tools/