A newly discovered remote access Trojan (RAT) dubbed Parasite HTTP includes a broad range of protections, including sandbox detection, anti-debugging, anti-emulation, and more, Proofpoint reports.
Dubbed Parasite HTTP, the malware is being advertised on an underground forum and has already been used in an infection campaign. Courtesy of a modular architecture, the malware’s capabilities can be expanded with the addition of new modules after infecting a system.
The threat was recently used in a small email campaign targeting recipients primarily in the information technology, healthcare, and retail industries. The emails contained Microsoft Word attachments with malicious macros designed to download the RAT from a remote site.
Written in C, the tool is advertised as having no dependencies, a small size of around 49Kb, and plugin support. Moreover, its author claims the malware supports dynamic API calls, has encrypted strings, features a secure command and control (C&C) panel written in PHP, can bypass firewalls, and features encrypted communications.
Among other features, the author also advertises a series of plugins for the malware, including User management, Browser password recovery, FTP password recovery, IM password recovery, Email password recovery, Windows license keys recovery, Hidden VNC, and Reverse Socks5 proxy.
“Parasite HTTP contains an impressive collection of obfuscation and sandbox- and research environment-evasion techniques,” Proofpoint says.
In addition to string obfuscation, Parasite HTTP features a sleep routine to delay execution and check for sandboxes or emulation. It first checks if an exception handler has run, then checks “whether between 900ms and two seconds elapsed in response to the routine’s 1 second sleep split into 10ms increments.”
When detecting a sandbox, the malware does not simply exit or throw an error, but attempts to make it more difficult to determine why it crashed. The RAT also uses code from a public repository for sandbox detection.
“Parasite HTTP also contains a bug caused by its manual implementation of a GetProcAddress API that results in the clearing code not executing,” Proofpoint’s security researchers warn.
On Windows 7 and newer versions, the threat resolves critical APIs for creating its registry values. It also uses a process injection technique that isn’t used by major malware families.
The malware includes an obfuscated check for debugger breakpoints within a range of its own code. Parasite HTTP also removes hooks on a series of DLLs, but only restores the first 5 bytes to the original, which would likely result in a crash if a sandbox is using an indirect jump (6 bytes) for its hooks.
“Threat actors and malware authors continuously innovate in their efforts to evade defenses and improve infection rates. Parasite HTTP provides numerous examples of state-of-the-art techniques used to avoid detection in sandboxes and via automated anti-malware systems. For consumers, organizations, and defenders, this represents the latest escalation in an ongoing malware arms race that extends even to commodity malware,” Proofpoint says.