A GAMER TURNED MALWARE DEVELOPER : DIVING INTO SILVERRAT AND IT’S SYRIAN ROOTS

Published On : 2024-01-18
Share :
A GAMER TURNED MALWARE DEVELOPER : DIVING INTO SILVERRAT AND IT’S SYRIAN ROOTS

EXECUTIVE SUMMARY

This report provides a glimpse into the evolving landscape of RAT development and malicious activities performed by threat actors working under name of ‘Anonymous Arabic’. Our team investigated the Silver RAT (written in C sharp) which has capabilities to bypass anti-viruses and covertly launch hidden applications, browsers, keyloggers, and other malicious activities. The developers operate on multiple hacker forums and social media platforms, showcasing an active and sophisticated presence, in addition to a Telegram channel offering a range of services including the distribution of cracked RATs, leaked databases, carding activities, and the sale of social media bots, which are employed to promote services by automatically engaging with and commenting on user content.

INTRODUCTION

Silver RAT v1.0 was observed in the wild during November 2023. The authors of Silver RAT have also developed another product called S500 RAT. While Silver RAT is currently Windows-based, recent announcements indicate that the developers are planning to launch a new version with the ability to generate both Windows and Android payloads. Silver RAT v1.0 comes with destructive features such as a keylogger, UAC bypass, data encryption using ransomware, and functions to destroy system restore points.

The developer of Silver RAT is, known as ‘noradlb1,’ and is active on prominent hacking forums like XSS, Darkforum, TurkHackTeam, and others, with an arguably respected reputation. The RAT first appeared on their Telegram channel and later on Turkhackteam and 1877 forums. Silver RAT was cracked and leaked on Telegram around October, 2023, and now users on Telegram and GitHub are sharing cracked versions of Silver RAT v1.0 to users without the means to purchase RATs (however there is evidence from user conversations that this may not be as effective as other well-known RATs like xworm).

While generating a payload using Silver RAT’s builder, threat actors can select various options with a payload size up to a maximum of 50kb. Once connected, the victim appears on the attacker controlled Silver RAT panel, which displays the logs from the victim based on the functionalities chosen. The threat actor can hide processes under false headings, and the final payload can be generated in a Windows executable file, delivered through various social engineering methods.

The announcement about the sale of Silver RAT 1.0 initially appeared on the TurkHackTeam forum and later surfaced on 1877 and other underground hacking forums.

Our team found that the threat actor also posted in a well-known Russian forum, selling Silver RAT v1.0.

Additionally, they created a website under an e-commerce domain to facilitate the sale of Silver RAT v1.0.

ASSESSMENT

The initial announcement regarding the release of Silver RAT V1.0 was made on October 19, 2022 on their Telegram channel. Subsequent to this, (November 19, 2022) the threat actor released the RAT on two hacker forums.

PANEL OVERVIEW

Silver RAT v1.0 written in C Sharp is a Window based RAT builder for windows systems, which has different features like Bypass AV, stealing browser cookies, keylogger, hidden browser, hidden RDP access and much more.

Our team have performed the analysis of the Silver RAT v1.0 builder in order to assess it’s capabilities: after executing, there is an initial prompt to request a port number on which Silver RAT will bind the IP, and port number for reverse shell.

This is the builder section of Silver RAT, where users will find numerous options. Some notable features include the ability to Bypass AV, conceal malicious processes by assigning custom process names, and specify the connection method. The user can choose between default connection settings by providing an IP for reverse connection or opt for a web HTML link.

Below is a list of the arguably most interesting functionalities of Silver RAT v1.0:

  • The attacker can utilize either an IP address with a specified port, or a webpage for command and control of the target system.
  • Windows defender exclusion function prevents detection after the program has been launched for the first time.
  • Attackers can configure this functionality to erase all system restore points. If the target attempts to turn off the system and run system restore, it will be ineffective.
  • This option can be configured to delay the execution of the payload. If the target runs the payload, it will not activate until the specified time has elapsed.
  • Hidden process and hidden installation, i.e. the capability to hide a process within the task manager. The attacker can provide a custom process name to hide the payload in a folder, which cannot be found even if the target tries to view hidden files or folders within Windows settings.
  • Bypassing Antivirus using FUD Crypters.

A point to note is that the payload size increases when users select more options, ranging from 40- 50KB.

In the execution process, the .Net executable payload can be delivered by using various social engineering tactics. Upon execution, an administrated permission prompt will appear, and it will run a CMD window that disappears in less than 2 seconds.

Following this, Silver RAT v1.0 establishes a connection, once connected the target will appear in the targets list.

ADMIN CONTROL PANEL

Upon successful connection, the attacker gains the ability to initiate various malicious activities on the target system, as seen in below snippet.

Beginning with the top option ‘Manager,’ the attacker can manage and control various aspects of the target system. This includes managing installed applications, navigating the file manager, modifying registry keys, checking startup items, and monitoring the performance of the target system.

Additionally, attackers can leverage other interesting malicious activities on target system such as:

Hidden Apps
– Attackers can control multiple applications on the client’s computer covertly, with various apps running concurrently.

Hidden Browsers
– Gives the ability to add client browsers to a hidden list.
– Enables the attacker and the victim to use the browser at the same time.

Hidden VNC
– Gives the attackers control of target system
– Attackers can control the client’s internet browsers.

The image below illustrates specific stealing capabilities of Silver RAT v1.0.

Additionally, an attacker can encrypt data on the victim’s computer using ransomware, delete data and browser cookies from the target computer remotely, propogate like worm through USB , and erase system restore points.

BUILDER CODE REVIEW

After analyzing the program file of the builder, there are some flags that warrant discussion:

The below highlights boolean flags like ‘RuntimeProcessCheckerProtection’, ‘RuntimeAntiDebugProtection’, ‘KillDebuggerProtection’, ‘KillMaliciousProcess’, ‘DetectDllInjection’, and ‘RunSingleThread’.

These flags are used to protect the RAT from various debugging techniques, as well as protecting the program from being analyzed. If such activity is detected, the anti-analysis code will terminate the program’s execution.

In the snippet below this list called ‘BadPList’ containing different strings related to programs used by malware analysts. Each string represents the name of a process or tool that the RAT considers potentially bad or associated with debugging and analysis activities.

EXTERNAL THREAT LANDSCAPE MANAGEMENT (ETLM)

Threat Actor Profile:
The Silver RAT developers have 2 different Telegram channels with 1k+ on one channel and 700+ users on another channel, indicating a high user engagement rate.

CYFIRMA researchers found out that the threat actor has been using a well-known Crypto wallet, employing different addresses for transactions, ranging from Bitcoin to Ethereum and USDT (Tether).

Their Bitcoin wallet appears to be empty, while their Ethereum wallet shows 8 transactions including 1 deposit and 7 transfers.

We note approximately 2,275.67 USD of transactions between December 24,2023 and December 25,2023 period, including potential cashing out activities.

During the analysis, we backtracked to the PayPal purchase option, and upon exiting the page, we obtained the Gmail address used by threat actor for PayPal account.

During our investigation, we discovered a Facebook account of a hacktivist group that supports the “Syrian Revolution”, with post engagement from a developer of Silver RAT based on multiple attribute matches. Reviewing the developer’s previous posts reveals a history of offering various first-person shooter (FPS) game hacks and mods.

Based on these observations, it can be ascertained with high confidence that the Silver RAT developer:

  • Began hacking as a teen
  • Is likely in his mid-twenties
  • Resides in Damascus, Syria

THREAT LANDSCAPE

A threat actor using the moniker ‘Dangerous silver,’ and another using ‘Monstermc’, serve as developers for S500 RAT and Silver RAT. They operate a Telegram channel offering malware-as-a-service, distributing cracked RATs from various developers, leaked databases, carding services, fake pages, and the sale of Twitter/Facebook bots. They have blog website named as ‘Anonymous Arabic’ that is moderated by 2 other individuals, as well as groups named as Monstermc and Syria Pirates.

Following the leak, Silver RAT v1.0 is freely available over Telegram, as well as some underground forums and Github, complete with full instructions on its malicious use.

The threat actor is actively sharing information on various social media platforms, as well as development platforms like GitHub, where the threat actors shared different red teaming methods and cracked malware.

The threat actor’s YouTube channel where they shared details about Silver RAT was banned by the platform, but a new (and still active) channel shares tutorials about their malicious tools.

The threat actor Pastebin profile shows they pasted source code of builders as well as some bypass tricks.

UNDERGROUND ACTIVITY MONITORING

We have discovered that the threat actor appears to have a good reputation on across various underground forums.

RECENT DEVELOPMENT

Silver RAT v1.0 generates a Windows executable, however Telegram chatter purports that the upcoming release of a new version of Silver RAT will be capable of generating payloads for both Android and Windows platforms.

MITRE MAPPING

Tactics Techniques
TA0002: Execution T1059: Command and Scripting Interpreter
T1053: Scheduled Task/Job
TA0003: Persistence T1053: Scheduled Task/Job
TA0004: Privilege Escalation T1055: Process Injection
T1053: Scheduled Task/Job
TA0005: Defense Evasion T1112: Modify Registry
T1497: Virtualization/Sandbox Evasion
T1055: Process Injection
T1027: Obfuscated Files or Information
TA0006: Credential Access T1056: Input Capture
T1539: Steal Web Cookie
T1552: Unsecured Credentials
T1528: Steal Application Access Token
TA0007: Discovery T1057: Process Discovery
T1497: Virtualization/Sandbox Evasion
T1083: File and Directory Discovery
T1082: System Information Discovery
TA0009: Collection T1056: Input Capture
TA0010: Exfiltration T1041: Exfiltration over C2 Channel
T1567: Exfiltration over Web Service

IOCs

No SHA256 Indicators Remarks
1 79a4605d24d32f992d8e144202e980bb6b52bf8c9925b1498a1da59e50ac51f9 Silver RAT v1.0 Builder
2 a9fa8e14080792b67a12f682a336c0ea9ff463bbcb27955644c6fcaf80023641 Silver RAT v1.0 Builder
3 7a9aeea5e65a0966894710c1d9191ba4cbd6415cba5b10b3b75091237a70a5b8 Silver RAT Payload
4 0ace7ae35b7b44a3ec64667983ff9106df688c24b52f8fcb25729c70a00cc319 Silver RAT Payload
5 3b06b4aab7f6f590aeac5afb33bbe2c36191aeee724ec82e2a9661e34679af0a Silver RAT Payload
6 27b781269be3b0d2f16689a17245d82210f39531e3bcb88684b03ae620ac5007 Silver RAT Payload
7 0ace7ae35b7b44a3ec64667983ff9106df688c24b52f8fcb25729c70a00cc319 Silver RAT Payload

CONCLUSION

The developer of Silver RAT intends to release new versions of RAT following the leak of v1.0, which rends it freely accessible for malicious purposes. The developer, operating under the name “Anonymous Arabic,” appears is supportive of Palestine based on their Telegram posts, and members associated with this group are active across various arenas, including social media, development platforms, underground forums, and Clearnet websites, suggesting their involvement in distributing various malware. It is crucial for organizations to enhance their defense mechanisms in response to this potential threat.

RECOMMENDATIONS

Strategic Recommendations:

  • Security Awareness Training: educate users about the risks of downloading and installing apps from untrusted sources. Teach them to recognize phishing attempts, suspicious links, and potentially harmful applications.
  • Regular Updates: enforce a policy of keeping devices and operating systems up to date with the latest security patches. Outdated systems can have vulnerabilities that RATs may exploit.
  • Data Encryption: encourage users to enable device encryption and use strong, unique passcodes or biometric authentication methods to protect their devices.

Management Recommendations

  • Incident Response Plan: develop and communicate an incident response plan that outlines steps to take if a device is compromised. This plan should include isolating the device, notifying relevant parties, and taking action to mitigate the breach.
  • User Support: provide users with a clear channel to report suspicious activity, unusual behavior, or potential security incidents. Ensure they understand the importance of reporting such incidents promptly.
  • Regular Backups: regularly back up your device’s data to a secure location. This helps mitigate the impact of data loss in case of a security incident.

Tactical Recommendations

  • App Review: regularly review the list of installed apps and remove any that are unused or suspicious. RATs often disguise themselves as legitimate apps.
  • Network Security: avoid using unsecured Wi-Fi networks, especially for sensitive transactions. Use a VPN when connected to public Wi-Fi to encrypt your internet traffic.
  • Behavioral Analysis: implement solutions that use behavioral analysis to detect unusual patterns or activities on endpoints. Analyze network traffic for anomalies that may indicate RAT activities.
  • Endpoint Detection and Response (EDR): deploy EDR solutions to enhance visibility into endpoint activities and enable faster detection and response to potential RAT infections.
  • Firewall Configuration: configure firewalls to restrict unnecessary outbound traffic, especially for non-standard ports associated with RATs.
This site is registered on wpml.org as a development site. Switch to a production site key to remove this banner.