Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Parasite HTTP RAT Packs Extensive Protection Mechanisms

A newly discovered remote access Trojan (RAT) dubbed Parasite HTTP includes a broad range of protections, including sandbox detection, anti-debugging, anti-emulation, and more, Proofpoint reports.

A newly discovered remote access Trojan (RAT) dubbed Parasite HTTP includes a broad range of protections, including sandbox detection, anti-debugging, anti-emulation, and more, Proofpoint reports.

Dubbed Parasite HTTP, the malware is being advertised on an underground forum and has already been used in an infection campaign. Courtesy of a modular architecture, the malware’s capabilities can be expanded with the addition of new modules after infecting a system.

The threat was recently used in a small email campaign targeting recipients primarily in the information technology, healthcare, and retail industries. The emails contained Microsoft Word attachments with malicious macros designed to download the RAT from a remote site.

Written in C, the tool is advertised as having no dependencies, a small size of around 49Kb, and plugin support. Moreover, its author claims the malware supports dynamic API calls, has encrypted strings, features a secure command and control (C&C) panel written in PHP, can bypass firewalls, and features encrypted communications.

Among other features, the author also advertises a series of plugins for the malware, including User management, Browser password recovery, FTP password recovery, IM password recovery, Email password recovery, Windows license keys recovery, Hidden VNC, and Reverse Socks5 proxy.

“Parasite HTTP contains an impressive collection of obfuscation and sandbox- and research environment-evasion techniques,” Proofpoint says.

In addition to string obfuscation, Parasite HTTP features a sleep routine to delay execution and check for sandboxes or emulation. It first checks if an exception handler has run, then checks “whether between 900ms and two seconds elapsed in response to the routine’s 1 second sleep split into 10ms increments.”

When detecting a sandbox, the malware does not simply exit or throw an error, but attempts to make it more difficult to determine why it crashed. The RAT also uses code from a public repository for sandbox detection.

“Parasite HTTP also contains a bug caused by its manual implementation of a GetProcAddress API that results in the clearing code not executing,” Proofpoint’s security researchers warn.

On Windows 7 and newer versions, the threat resolves critical APIs for creating its registry values. It also uses a process injection technique that isn’t used by major malware families.

The malware includes an obfuscated check for debugger breakpoints within a range of its own code. Parasite HTTP also removes hooks on a series of DLLs, but only restores the first 5 bytes to the original, which would likely result in a crash if a sandbox is using an indirect jump (6 bytes) for its hooks.

< span>“Threat actors and malware authors continuously innovate in their efforts to evade defenses and improve infection rates. Parasite HTTP provides numerous examples of state-of-the-art techniques used to avoid detection in sandboxes and via automated anti-malware systems. For consumers, organizations, and defenders, this represents the latest escalation in an ongoing malware arms race that extends even to commodity malware,” Proofpoint says.

Related: RATs Bite Ukraine in Ongoing Espionage Campaign

Related: NetSupport Manager RAT Spread via Fake Updates

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Cybercrime

CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.

Cybercrime

Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Malware & Threats

Norway‎-based DNV said a ransomware attack on its ship management software impacted 1,000 vessels.

Malware & Threats

Cybercrime in 2017 was a tumultuous year "full of twists and turns", with new (but old) infection methods, a major return to social engineering,...

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

The recent ransomware attack targeting Rackspace was conducted by a cybercrime group named Play using a new exploitation method, the cloud company revealed this...