{"id":16088,"date":"2019-08-16T09:40:04","date_gmt":"2019-08-16T17:40:04","guid":{"rendered":"https:\/\/www.palada.net\/index.php\/2019\/08\/16\/news-9831\/"},"modified":"2019-08-16T09:40:04","modified_gmt":"2019-08-16T17:40:04","slug":"news-9831","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2019\/08\/16\/news-9831\/","title":{"rendered":"Fake Indian Income Tax Calculator Delivers xRAT Variant"},"content":{"rendered":"<div class=\"aem-Grid aem-Grid--12 aem-Grid--default--12\">\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p><i>A FortiGuard Labs Breaking Threat Report<\/i><\/p>\n<p> Tax-themed phishing and malware attacks rise during the tax filing season. FortiGuard Labs recently came upon an interesting Excel file claiming to provide an income tax calculator that purports to be from India\u2019s Income Tax Department. It\u2019s not. Instead, it\u2019s a malicious file containing a variant of the xRAT trojan.<\/p>\n<p>Based on the timestamps of when this malicious file was crafted, it seems to be targeting people catching the deadline for filing their income tax returns (ITRs) in India.\u00a0<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--5 aem-GridColumn--offset--default--3\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/fake-indian-income-tax-calculator-xrat-variant\/_jcr_content\/root\/responsivegrid\/image_879428686.img.png\" alt=\"One of the Malicious Binary\u2019s Compilation Timestamps\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Fig. 1. One of the Malicious Binary\u2019s Compilation Timestamps<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p class=\"cq-text-placeholder-ipe\" data-emptytext=\"Text\">\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn aem-GridColumn--default--12\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/fake-indian-income-tax-calculator-xrat-variant\/_jcr_content\/root\/responsivegrid\/image_401012608.img.png\" alt=\"One of the Malicious Binary\u2019 Debug Files\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Fig. 2. One of the Malicious Binary\u2019 Debug Files<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>This attack is very timely as the deadline for filing the ITR in India, usually set on July 31, was extended this year to August 31, 2019.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--7 aem-GridColumn--offset--default--2\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/fake-indian-income-tax-calculator-xrat-variant\/_jcr_content\/root\/responsivegrid\/image_763312660.img.png\" alt=\"India\u2019s Income Tax Department\u2019s Announcement for the ITR Filing Extension\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Fig. 3. India\u2019s Income Tax Department\u2019s Announcement for the ITR Filing Extension<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>When executed, the malicious Excel file drops and executes xRAT, an open-source RAT (remote administration tool) which is a fork off the more well-known QuasarRAT.<\/p>\n<h2><b>Fake Income Tax Calculator<\/b><\/h2>\n<p>The fake income tax calculator pretends to be from India\u2019s Income Tax Department, as signified by the use of its logo in this decoy file.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--12 aem-GridColumn--offset--default--0\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/fake-indian-income-tax-calculator-xrat-variant\/_jcr_content\/root\/responsivegrid\/image_1751815710.img.png\" alt=\" Fake Income Tax Calculator\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Fig. 4. Fake Income Tax Calculator<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>When the file is opened, it immediately executes its embedded malicious macro code.\u00a0 The \u201cCLICK &amp; CALCULATE\u201d button shown above is designed to simply trick the user into thinking that it is a legitimate file. Clicking on this button only pops-up a message box containing the following message:<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--7 aem-GridColumn--offset--default--2\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/fake-indian-income-tax-calculator-xrat-variant\/_jcr_content\/root\/responsivegrid\/image_926271517.img.png\" alt=\"Calculate Button Only Pops-up a Message Box\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Fig. 5. Calculate Button Only Pops-up a Message Box<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<h2><b>What It Does<\/b><\/h2>\n<p>The malicious macro code first decodes Base64 encoded data embedded in the Excel file. The decoded data is then saved as %AppData%doubleenc.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn aem-GridColumn--default--12\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/fake-indian-income-tax-calculator-xrat-variant\/_jcr_content\/root\/responsivegrid\/image_596463707.img.png\" alt=\"Base64 Encoded Embedded Malware\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Fig. 6. Base64 Encoded Embedded Malware<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p class=\"cq-text-placeholder-ipe\" data-emptytext=\"Text\">\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn--default--9 aem-GridColumn aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/fake-indian-income-tax-calculator-xrat-variant\/_jcr_content\/root\/responsivegrid\/image_1897273403.img.png\" alt=\"Decoding the Embedded Malware with Base64\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Fig. 7. Decoding the Embedded Malware with Base64<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>The <i>doubleenc <\/i>file is encrypted with XOR using the following key:<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn aem-GridColumn--default--12\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/fake-indian-income-tax-calculator-xrat-variant\/_jcr_content\/root\/responsivegrid\/image_1120466852.img.png\" alt=\"XOR Key Used to Decrypt Embedded Malware\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Fig. 8. XOR Key Used to Decrypt Embedded Malware<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>When decrypted, the data is saved as %AppData%doubledec.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn aem-GridColumn--default--12\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/fake-indian-income-tax-calculator-xrat-variant\/_jcr_content\/root\/responsivegrid\/image_954299015.img.png\" alt=\"Base64 Encoded xRAT\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Fig. 9. Base64 Encoded xRAT<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>The <i>doubledec <\/i>file is still Base64 encoded. After decoding, it is saved as %AppData%msword.exe.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn aem-GridColumn--default--12\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/fake-indian-income-tax-calculator-xrat-variant\/_jcr_content\/root\/responsivegrid\/image_1182129666.img.png\" alt=\"Files Dropped in the %AppData% Folder\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Fig. 10. Files Dropped in the %AppData% Folder<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>The <i>msword<\/i>.<i>exe<\/i> file, when executed, drops files in the %AppData%MicrosoftOfficeExcel folder. including the xRAT files.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn aem-GridColumn--default--12\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/fake-indian-income-tax-calculator-xrat-variant\/_jcr_content\/root\/responsivegrid\/image_1765008553.img.png\" alt=\" Files Dropped in the %AppData%MicrosoftOfficeExcel Folder\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Fig. 11. Files Dropped in the %AppData%MicrosoftOfficeExcel Folder<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>Files <i>3<\/i> and <i>4 <\/i>are both xRAT binaries compiled using different .NET Framework versions. The file <i>Console Window Host.exe<\/i> determines which .NET Framework version is installed on the system, then chooses which file to run. The chosen file is then renamed to <i>conhost.exe<\/i>. This file is then executed and added to an auto-start registry entry.<b><\/b><\/p>\n<h2><b>xRAT 2.0<\/b><\/h2>\n<p>xRAT is an open-source RAT (remote administration tool) which is a fork off the more well-known open-source QuasarRAT (known to be used by hackers of all types, from script kiddies to APT groups like Patchwork and Gorgon).<\/p>\n<p>The latest version of xRAT is 2.0, and the code is publicly available on Github. According to its <i>readme<\/i> file, it has the following features:<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn--default--9 aem-GridColumn aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/fake-indian-income-tax-calculator-xrat-variant\/_jcr_content\/root\/responsivegrid\/image_329609170.img.png\" alt=\"Fig. 12. Features of xRAT 2.0 as seen on Github\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Fig. 12. Features of xRAT 2.0 as seen on Github<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>Since this RAT is open-source, we can easily identify any changes made to the original source code. The first thing that comes to mind is to look at the configuration file, which contains information about its command and control server (C2).<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn--default--9 aem-GridColumn aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/fake-indian-income-tax-calculator-xrat-variant\/_jcr_content\/root\/responsivegrid\/image.img.png\" alt=\"Fig. 13. xRAT Configuration\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Fig. 13. xRAT Configuration<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>Based on the configuration file, this variant connects to xorc-49723.portmap.host on TCP port 63989. Apparently, this RAT uses the <a href=\"https:\/\/portmap.io\/\">Portmap<\/a> service to forward traffic to its C2 server. This is also a known technique used by QuasarRAT to hide the true C2 server. As expected, communication between the RAT and its C2 server is encrypted.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn aem-GridColumn--default--12\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/fake-indian-income-tax-calculator-xrat-variant\/_jcr_content\/root\/responsivegrid\/image_595760202.img.png\" alt=\"Fig. 14. Encrypted Traffic on Port 63989\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Fig. 14. Encrypted Traffic on Port 63989<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>The encryption used by this variant is the same as that used in the original source code, which is <a href=\"https:\/\/en.wikipedia.org\/wiki\/Advanced_Encryption_Standard\">Advanced Encryption Standard<\/a> (Rijndael). The data sent to\/from the C2 server is first compressed with <a href=\"http:\/\/www.quicklz.com\/\">QuickLZ<\/a> compression then encrypted with AES.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn aem-GridColumn--default--12\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/fake-indian-income-tax-calculator-xrat-variant\/_jcr_content\/root\/responsivegrid\/image_1375299246.img.png\" alt=\"Fig. 15. Traffic To\/From C2 Compression and Encryption\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Fig. 15. Traffic To\/From C2 Compression and Encryption<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>The AES encryption uses a generated initial vector (IV) and the MD5 hash of the password indicated in the configuration file, which is \u201c#$%12aBcL\u201d, as its key.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn aem-GridColumn--default--12\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/fake-indian-income-tax-calculator-xrat-variant\/_jcr_content\/root\/responsivegrid\/image_199119316.img.png\" alt=\"Fig. 16. AES Encryption\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Fig. 16. AES Encryption<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>All other functionality appears to be the same as the original source code. With a good malware signature, any new compilation of the source code can be easily caught.<\/p>\n<h2><b>Conclusion<\/b><\/h2>\n<p>As deadlines for the filing of Income Tax Returns approach, many people try to look for tax calculators to make it easy for them to estimate their refund or bill. Many tax filers just use programs downloaded from anywhere on the internet, or even from spam email attachments for unknown users, without being very mindful as to whether they are harmful or not. Every year a number of attackers take advantage of tax season by creating lures to attract and exploit unsuspecting victims, as seen in this exploit and the general rise of tax-themed attacks overall.<\/p>\n<p>-= FortiGuard Lion Team =-<\/p>\n<h2><b>Solution<\/b><\/h2>\n<p>Fortinet customers are protected by the following:<\/p>\n<ul>\n<li>xRat samples are detected by MSIL\/XRat.A!tr signature<\/li>\n<li>The decoy document is detected by W97M\/Agent.YRJ!tr signature<\/li>\n<li>FortiSandbox rates the xRAT\u2019s behaviour as high risk<\/li>\n<\/ul>\n<h2><b>IOCs<\/b><\/h2>\n<p><b><u>Sha256<\/u><\/b><\/p>\n<p>8b295dd23cddbe8076f0bd651efe03c8d207823920a5c4dbefa328fda6898d83<br \/> 94687352179d4f60ddc8a18026da4cf356cc47a56e058b4210e9b4f935231576<br \/> a070e0ae6edf52b3d1a393a21d33c8aa0f2a30fe113a973dbae892b3f5cadd28<br \/> 63517ec73dfa0629d344b6803ed2a4465f9338592d9c64a14c89bb0da849961c<\/p>\n<p><b><u>C2<\/u><\/b><\/p>\n<p>xorc-49723.portmap[.]host<\/p>\n<p><i>Learn more about\u00a0<a href=\"https:\/\/www.fortinet.com\/fortiguard\/threat-intelligence\/threat-research.html?utm_source=nreleaseblog&amp;utm_campaign=2018-q2-fortiguardlabs-cta\">FortiGuard Labs<\/a>\u00a0and the FortiGuard Security Services\u00a0<a href=\"https:\/\/www.fortinet.com\/support-and-training\/support-services\/fortiguard-security-subscriptions.html?utm_source=blog&amp;utm_campaign=2018-blog-security-services\">portfolio<\/a>.\u00a0<a href=\"https:\/\/www.fortinet.com\/fortiguard\/threat-intelligence\/threat-research.html?utm_source=nreleaseblog&amp;utm_campaign=2018-q2-fortiguardlabs-cta\">Sign up<\/a>\u00a0for our weekly FortiGuard Threat Brief.\u00a0<\/i><\/p>\n<p><i>Read about the FortiGuard\u00a0<a href=\"https:\/\/www.fortinet.com\/support-and-training\/support-services\/fortiguard-security-subscriptions\/security-rating.html?utm_source=blog&amp;utm_campaign=2018-blog-security-rating-service\">Security Rating Service<\/a>, which provides security audits and best practices.<\/i><\/p>\n<\/p><\/div>\n<div class=\"raw-import aem-GridColumn aem-GridColumn--default--12\">\n<div class=\"text-container\">\n<div id=\"om-qxx1b0gslklfu2kjckea-holder\"><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<p><a href=\"http:\/\/feedproxy.google.com\/~r\/fortinet\/blog\/threat-research\/~3\/zfu3G0QX-vo\/fake-indian-income-tax-calculator-xrat-variant.html\" target=\"bwo\" >http:\/\/feeds.feedburner.com\/fortinet\/blog\/threat-research<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/fake-indian-income-tax-calculator-xrat-variant\/_jcr_content\/root\/responsivegrid\/image_879428686.img.png\"\/><br \/>FortiGuard Labs recently discovered an Excel file claiming to provide an income tax calculator that purports to be from India\u2019s Income Tax Department,  but instead contains a variant of the xRAT trojan. Learn more.&lt;img src=&#8221;http:\/\/feeds.feedburner.com\/~r\/fortinet\/blog\/threat-research\/~4\/zfu3G0QX-vo&#8221; height=&#8221;1&#8243; width=&#8221;1&#8243; alt=&#8221;&#8221;\/&gt;<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10424,10378],"tags":[],"class_list":["post-16088","post","type-post","status-publish","format-standard","hentry","category-fortinet","category-security"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/16088","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=16088"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/16088\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=16088"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=16088"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=16088"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}