Evolution of sophisticated spyware: from Agent.BTZ to ComRAT

01/15/2015
G DATA Blog

In November 2014, the experts of the G DATA SecurityLabs published an article about ComRAT, the Agent.BTZ successor. We explained that this case is linked to the Uroburos rootkit. We assume that the actor behind these campaigns uses several different malware strains in order to compromise the targeted infrastructure: Uroburos, a rootkit; Agent.BTZ/ComRAT, remote administration tools or Linux malware and maybe even more.

We decided to have an even closer look at Agent.BTZ and ComRAT and therefore analyzed the evolution of this RAT, covering seven years of development. Here is a table with the minimal information about 46 different samples:

<thead></thead>
MD5VersionCompilation Date
b41fbdd02e4d54b4bc28eda99a8c1502Ch 1.0Wed Jun 13 07:31:32 2007 UTC
93827a6c77e84ffdd9c793d485d3df6eCh 1.0Wed Jun 13 07:31:32 2007 UTC
3e9c7ef54ea3d55d5b53abab4c3e2385Ch 1.0Wed Jun 13 07:31:32 2007 UTC
b9ed8876ef5a05ba364a9cdbdf4f184dCh 1.0Tue Jun 19 12:41:21 2007 UTC
d8f98f64687b05a62c81ce9e52dd808dCh 1.1Tue Jun 26 08:46:11 2007 UTC
2cf64ff9dad8d64ee9322e390d4f7283Ch 1.1Tue Jun 26 08:46:11 2007 UTC
24e679155697bd31b34036a44d4346a7Ch 1.2wccTue Jul 24 12:57:37 2007 UTC
53b8b9f779b1d1d298884d1c21313ab3Ch 1.2wccTue Jul 24 12:57:37 2007 UTC
69ae46fedf3c18ff36fc850e0baa9365Ch 1.2wccTue Jul 24 12:57:37 2007 UTC
e05511a84eb345954b94f1e05c78bf22Ch 1.2Thu Jul 26 07:20:17 2007 UTC
f93ce76f6580d68a95260198b2d6feaaCh 1.3Mon Dec  3 14:15:58 2007 UTC
db5d1583704b0fb6d1cff0b62a512a7dCh 1.4Tue Dec 11 17:36:03 2007 UTC
2b348c225985679f62e50b28bdb74ac9Ch 1.4Tue Dec 11 17:36:03 2007 UTC
af3f0efbd69905123f7df958cc88dff9Ch 1.4Tue Dec 11 17:36:03 2007 UTC
e825c4961293ad45883cd52f38695283Ch 1.5Thu Mar 27 14:58:15 2008 UTC
2a67b53b7ef7b70763658ca7f60e7005Ch 1.5Thu Mar 27 14:58:15 2008 UTC
bbf569176ec7ec611d8a000b50cdb754Ch 1.5Thu Mar 27 14:58:15 2008 UTC
e5c76e67128e48cb0f003c2beee47d1fCh 1.5Thu Mar 27 14:58:15 2008 UTC
8e5da63369d20e1d2c530bf806996285Ch 2.02Mon May  5 11:27:48 2008 UTC
78d3f074b70788897ae7e20e5137bf47Ch 2.03Mon May 12 11:52:31 2008 UTC
986f263ca2c529d5d28bce3c62f858eaCh 2.03Thu May 22 10:24:55 2008 UTC
4f732099caf5d21729572cec229f7614Ch 2.04Mon Jun  9 17:23:56 2008 UTC
5336c24a3399f522f8e19d9c54a069c6Ch 2.04Mon Jun  9 17:23:56 2008 UTC
dc1c54751f94b6fdf0b6ecdd64e67701Ch 2.04Mon Jun  9 17:23:56 2008 UTC
40335fca60acd05f1428b13a9a3c1228Ch 2.04Mon Jun  9 17:23:56 2008 UTC
72663ee9d3efaff959bff4ce25bd37a6Ch 2.04Mon Jun  9 17:23:56 2008 UTC
5ef72904221aa4090a262a24714054f0Ch 2.04Mon Jun  9 17:23:56 2008 UTC
331eca9c7d9fd9cbe7cd192af09880a3Ch 2.05Thu Nov  6 13:21:45 2008 UTC
db1156b072d58acdac1aeab9af2160a2Ch 2.05Thu Nov  6 13:21:45 2008 UTC
74dbea70bfb15db31bb9f757ed4bb1a0Ch 2.07Mon Dec 29 11:37:17 2008 UTC
eb928bca5675722c7e9e2b09eec1158aCh 2.07Mon Dec 29 11:37:17 2008 UTC
162f415abad9708aa61db8e03bcf2f3cCh 2.11Mon Sep 14 13:22:57 2009 UTC
448524fd62dec1151c75b55b86587784Ch 2.11Mon Sep 14 15:28:07 2009 UTC
29bb70a40689e9e665d15716519bacfdCh 2.12Tue Sep 29 10:28:40 2009 UTC
38d6719d6a266c6cefb8626c57378927Ch 2.13Mon Dec  7 14:25:12 2009 UTC
02eda1effde92bdf8462abcf40c4f776Ch 2.13Mon Dec  7 14:27:53 2009 UTC
5121ce1f96d74076df1c39748e019f42Ch 2.14.1Wed Feb 17 15:14:20 2010 UTC
28dc1ca683d6a14d0d1794a68c477604Ch 3.00Tue Jan 31 16:12:25 2012 UTC
40bd7846553550f38e458b8493824cb4Ch 3.00Tue Feb 14 10:28:06 2012 UTC
ba0c777317461ed57a85ffae277044dcCh 3.02Wed Apr  4 16:23:44 2012 UTC
b86137fa5a232c614ec5405be4d13b37Ch 3.10Tue Dec 18 08:22:43 2012 UTC
7872c1d88fe21d8a85f160a6666c76e8Ch 3.20Fri Jun 28 12:16:40 2013 UTC
83a48760e92bf30961b4a943d3095b0aCh 3.20Fri Jun 28 12:16:58 2013 UTC
3d65c18d09f47547f85c631ebeeda482Ch 3.20Mon Jun 24 10:51:01 2013 UTC
ec7e3cfaeaac0401316d66e964be684eCh 3.25Thu Feb  6 12:37:44 2014 UTC
b407b6e5b4046da226d6e189a67f62caCh 3.26Thu Jan  3 18:03:46 2013 UTC

Thanks to the versioning, we can deduce that the compilation dates we saw and currently see actually seem to be legit – except for the last known version, in which the author modified the compilation date in order to make the analysis more complex. We can see that this malware was really active in 2007 and 2008. New versions declined in frequency in 2009 and only one new sample was identified in 2010. We did not encounter any new sample from 2011, but the malware appeared back in 2012, with a new major version.

The RAT’s evolution described in ten steps

To describe the evolution of the development, we decided to compare ten major versions:

  • Version Ch 1.0 (2007-06) to Ch 1.5 (2008-03)
  • Version Ch 1.5 (2008-03) to Ch 2.03 (2008-05)
  • Version Ch 2.03 (2008-05) to Ch 2.11 (2009-09)
  • Version Ch 2.11 (2009-09) to Ch 2.14.1 (2010-02)
  • Version Ch 2.14.1 (2010-02) to Ch 3.00 (2012-01)
  • Version Ch 3.00 (2012-01) to Ch 3.10 (2012-12)
  • Version Ch 3.10 (2012-12) to Ch 3.20 (2013-06)
  • Version Ch 3.20 (2013-06) to Ch 3.25 (2014-02)
  • Version Ch 3.25 (2014-02) to Ch 3.26 (2013-01; date has been modified)

The following chapter will present the main differences between the versions mentioned above. Here is the resemblance ratio for each version, comparing direct neighbor versions only, created using BinDiff:

The biggest code update has occurred between version 2.14.1 and version 3.00. The gap matches the absence of samples during two years and this fundamental modification is what we call the death of Agent.BTZ and the birth of ComRAT.

Differences between version Ch 1.0 (2007-06) to Ch 1.5 (2008-03)

The analyzed samples are:

  • Ch 1.0: b41fbdd02e4d54b4bc28eda99a8c1502 
  • Ch 1.5: bbf569176ec7ec611d8a000b50cdb754 
  • Code similarity: 90%

We did not identify strong modification between the two samples. However, we can notice the following:

  • The configuration file (XML) in version 1.5 is stored in Unicode and not in ASCII anymore;
  • The two versions implement a mechanism to infect new media connected to the infected system. The implementation is not exactly the same nor is the log of media infection;
  • Version 1.5 creates a new event: “wowmgr_is_load”. This event has then been used for years.

Differences between version Ch 1.5 (2008-03) and Ch 2.03 (2008-05)

The analyzed samples are:

  • Ch 1.5: bbf569176ec7ec611d8a000b50cdb754 
  • Ch 2.03: 78d3f074b70788897ae7e20e5137bf47 
  • Code similarity: 83%

In version 2.03 of Agent.BTZ, the authors changed the following:

  • They added obfuscation in order to hide sensitive strings;
  • The communication protocol was modified in order to include the flag “<CHCMD>”
  • we assume that “CH” has the same meaning than “Ch” before the version number and “CMD” is the abbreviation for command;
  • From now on, the malware supports “runas” in order to execute commands as administrator. This command was implemented by Microsoft in Windows Vista in 2007. We assume that the author implemented this feature because several targets switched to this version of Windows in 2008.

According to an article, version 1.5 was used against the US Pentagon. We assume that the string obfuscation was performed in order to bypass security measures being capable of detecting an intrusion.

Differences between version Ch 2.03 (2008-05) and Ch 2.11 (2009-09)

The analyzed samples are:

  • Ch 2.03: 78d3f074b70788897ae7e20e5137bf47 
  • Ch 2.11: 162f415abad9708aa61db8e03bcf2f3c 
  • Code similarity: 96%

The codes of these two versions are extremely similar to each other, we can only notice small changes:

  • The author changed the name of several registry keys (probably to avoid detection by well-known IOC);
  • The name of two exported functions were modified, too: InstallM() becomes AddAtomT() and InstallS() becomes AddAtomS(),probably for the same reason than above.

Differences between version Ch 2.11 (2009-09) and Ch 2.14.1 (2010-02)

The analyzed samples are:

  • Ch 2.11: 162f415abad9708aa61db8e03bcf2f3c 
  • Ch 2.14.1: 5121ce1f96d74076df1c39748e019f42 
  • Code similarity: 98%

These codes are really similar to each other, too. We can notice only two changes:

  • The author patched several bugs;
  • Four new exports appear: DllCanUnLoadNow(), DllGetClassObject(), DllRegisterServer(), DllUnregisterServer().

The four exported libraries show that the malware has started to support the OLE Component Object Model (COM). This version is the first version able to be registered as a COM object. Three of the four functions are empty. The fourth one executes the malware.

Differences between version 2.14.1 (2010-02) and Ch 3.00 (2012-01)

The analyzed samples are:

  • Ch 2.14.1: 5121ce1f96d74076df1c39748e019f42 
  • Ch 3.00: 28dc1ca683d6a14d0d1794a68c477604 
  • Code similarity: 60%

These codes really differ from each other, even if some parts of version 2.14.1 were retained. Moreover, the developers changed the compiler; they switched from Visual Studio 6.0 to Visual Studio 9.0/10.0 , which is a strong indicator for the huge differences.
Version 3.00 is what the G DATA SecurityLabs experts call ComRAT. We can say that version 2.14.1 is the last version of Agent.BTZ. Here are the main differences between Agent.BTZ and ComRAT:

  • The new malware collects more information about the infected system (such as drive information, volume information…).
  • The media stick infection mechanism has definitely been removed. We assume this happened due to the fact that Microsoft has disabled AutoRun for external media. For the attackers, this infection vector is not interesting anymore.
  • The malware is injected into every process of the infected machine and the main payload is executed in “explorer.exe” as we explained in our article;
  • The communication channel to the command and control is not the same anymore. In this new version, the malware uses POST requests with the following pattern:

     

  • As the malware is injected into every process of the infected system, it creates named pipe in order to handle inter-processes communication.

On several 3.00 samples, the author forgot to remove the compilation path, here are some examples:

  • c:\projects\ChinckSkx64\Debug\Chinch.pdb
  • c:\projects\ChinckSkx64\Release\libadcodec.pdb
  • C:\projects\ChinckSkx64\x64\Release\libadcodec.pdb
  • E:\old_comp\_Chinch\Chinch\trunk\Debug\Chinch.pdb
  • c:\projects\ChinchSk\Release\libadcodec.pdb

Thanks to these compilation paths, we assume that the original name of the RAT is “Chinch”, which leads us to the assumption that the “CH” characters in the version name and in the flag “<CHCMD>” stands for “Chinch”. In English, chinch is the word for a small North American bug, Blissus leucopterus. This word is derived from the Spanish word chinche, meaning pest.

Differences between version 3.00 (2012-01) and Ch 3.10 (2012-12)

The analyzed samples are:

  • Ch 3.00: 28dc1ca683d6a14d0d1794a68c477604 
  • Ch 3.10: b86137fa5a232c614ec5405be4d13b37 
  • Code similarity: 90%

The codes are similar to each other, but the authors added several features:

  • The malware generates more logs;
  • The malware has a Mutex handle;
  • The 3.10 version supports multiple command and control servers.

The last new feature is really interesting: if the compromised targets block a specific command and control server, the malware will continue to work, thanks to two alternative command and control servers.

Differences between version 3.10 (2012-12) and Ch 3.20 (2013-06)

The analyzed samples are:

  • Ch 3.10: b86137fa5a232c614ec5405be4d13b37 
  • Ch 3.20: 7872c1d88fe21d8a85f160a6666c76e8 
  • Code similarity: 93%

The major new feature in the version is the new exports function called InstallW(). This exported function is used by the dropper to add persistence in the registry and to drop a second file (as explained in our previous article). Version 3.20 uses the following CLSID in order to hijack COM object: B196B286-BAB4-101A-B69C-00AA00341D07.
This object is the IConnectionPoint interface. The CLSID was only used in this version. We assume that the performed COM object hijacking generates some trouble on the infected system, that’s why the author changed related things in the next version. Furthermore, the CLSID was stored in plain text within the sample.

Differences between version Ch 3.20 (2013-06) and Ch 3.25 (2014-02)

The analyzed samples are:

  • Ch 3.20: 7872c1d88fe21d8a85f160a6666c76e8 
  • Ch 3.25: ec7e3cfaeaac0401316d66e964be684e 
  • Code similarity: 91%

In the 3.25 version, the author switched to the CLSID: 42aedc87-2188-41fd-b9a3-0c966feabec1 as described in our article. Furthermore, the strings in the sample are obfuscated. The main new feature is the obfuscation – almost all strings are obfuscated and the XML pattern is not written in plain text anymore.

Differences between version Ch 3.25 (2014-02) and Ch 3.26 (2013-01; date has been modified)

The analyzed samples are:

  • Ch 3.25: ec7e3cfaeaac0401316d66e964be684e 
  • Ch 3.26: b407b6e5b4046da226d6e189a67f62ca 
  • Code similarity: 95%

The version 3.26 is the latest known version. In this version:

  • The authors removed the familiar XOR key used by Agent.BTZ and Uroburos. We assume that due to the G DATA publication in February 2014, the author decided to remove as many links as possible between Uroburos and Agent.BTZ/ComRAT/Chinch;
  • The authors do not generate logs anymore;
  • The compilation date has been modified, in order to make the analysis and timeline creation more complex.

Conclusion

This analysis shows us seven years of the evolution of a Remote Administration Tool, used by a group which targeted extremely sensitive entities, such as the US Pentagon  in 2008 or the Belgium Ministry of Foreign Affairs  in 2014 as well as the Finnish Ministry of Foreign Affairs.

Except for version 3.00, the modifications made are rather marginal. We can see that the authors adapted features to the Windows versions, patched bugs, added obfuscation etc… The biggest update was performed to version 3.00, after two years of silence. Visibly, this RAT was used alongside the Uroburos rootkit. Nevertheless, it is not entirely clear how and when the attackers choose to use the RAT or the rootkit or whether both are used in parallel.

Taking everything into consideration, G DATA SecurityLabs experts are sure that the group behind Uroburos/Agent.BTZ/ComRAT/Linux tool/… will remain an active player in the malware and APT field. The newest revelations made and connections drawn let us believe that there is even more to come.