FOCUS MODE
EXTRACT IOC
0Trash

Ratatouille: Cooking Up Chaos in the I2P Kitchen

iocOne
Ratatouille: Cooking Up Chaos in the I2P Kitchen
This report details the discovery and analysis of a sophisticated multi-stage Remote Access Trojan (RAT) named I2PRAT, identified during a campaign called ClickFix12. The malware uses advanced evasion techniques, including privilege escalation and dynamic API resolution, while communicating covertly over the I2P network. The report discusses its infection chain, functionalities, and potential tracking and detection strategies for detecting I2PRAT in compromised systems. Affected: cybersecurity, IT infrastructure, Windows operating systems

Keypoints :

  • I2PRAT is a multi-stage RAT discovered as part of the ClickFix12 campaign.
  • The malware employs various evasion techniques, including privilege escalation using RPC abuse and parent ID spoofing.
  • It operates over the I2P network to conceal Command and Control (C2) communications.
  • The infection chain consists of an initial loader and subsequently dropped components for maintaining persistence.
  • Detections routes and mitigation strategies against the malware have been proposed based on the findings.
  • The I2PRAT installer deactivates Windows Defender to evade detection.
  • The malware is capable of obstructing specific Windows services and creating its own autostart service.

MITRE Techniques :

  • T1573.001 – Encrypted Channel: Symmetric Cryptography (used for securing communications over I2P).
  • T1104 – Multi-Stage Channels (loader and various stages of malware payload delivery).
  • T1095 – Non-Application Layer Protocol (utilizing I2P for C2 comms).
  • T1571 – Non-Standard Port (the malware communicates through a non-standard port).
  • T1090.003 – Proxy: Multi-hop Proxy (uses I2P for anonymity).
  • T1048.001 – Exfiltration Over Symmetric Encrypted Non-C2 Protocol (the malware sends data using encrypted channels).
  • T1547 – Abuse Elevation Control Mechanism (privilege escalation techniques used).
  • T1622 – Debugger Evasion (techniques aimed at preventing debugging).
  • T1140 – Deobfuscate/Decode Files or Information (dynamic resolution of API functions).
  • T1562.001 – Disable or Modify Tools (deactivating security tools such as Windows Defender).
  • T1036 – Masquerading (using common names for malicious files).
  • T1055.003 – Process Injection: Thread Execution Hijacking (injection techniques to gain control).
  • T1055.012 – Process Injection: Process Hollowing (hollows existing processes for stealth).
  • T1027.002 – Software Packing (code obfuscation and packing).
  • T1027.007 – Dynamic API Resolution (using runtime hashing for function resolution).
  • T1543.003 – Create or Modify System Process: Windows Service (creating backdoor services).
  • T1059.001 – Command and Scripting Interpreter: PowerShell (uses PowerShell for executing commands).

Indicator of Compromise :

  • IP Address 64.95.10[.]162:1119 (C2 server communication).
  • IP Address 194.26.135[.]9 (infrastructure linked to the malware).
  • IP Address 154.216.20[.]137 (another C2 server identified).
  • Domain example: c21a8709 (features from cnccli.log analysis).
  • File Name: main.exe (final payload located at ‘C:UsersPublicComputer.{…}’).

Full Story: https://blog.sekoia.io/ratatouille-cooking-up-chaos-in-the-i2p-kitchen/

Tags: XDR, PERSISTENCE, PROXY, HUNTING, WINDOWS, MONITOR, DEFENSE EVASION, LOG ANALYSIS