Thursday, November 30, 2023

Unveiling Parallax RAT: A Journey from Infection to Lateral Movement

The Parallax Remote Access Trojan (RAT) is a sophisticated piece of malware that first appeared on hacking forums in 2019. It was initially developed using MASM (Microsoft Macro Assembler) and boasts a range of capabilities, such as keylogging, password theft, screenshot capture, file upload and execution, as well as the exfiltration of files from File Manager and remote control. The latest known version of Parallax RAT is 1.0.7.

In a recent incident tracked by eSentire's Threat Response Unit (TRU), Parallax RAT was involved in an attack sequence that began with a drive-by download. The user, while searching for a Fortinet VPN client on Bing, clicked on an advertisement leading to an imposter page, resulting in the download of Parallax RAT (MD5: 9a82d1499ef3649d2603780fe30db0b5). This RAT was then used to deploy PsExec, a lightweight telnet-replacement tool that enables threat actors to execute processes on other systems. This allowed for lateral movement to the Domain Controller within a two-hour window following the RAT's execution. Additionally, the threat actors attempted to run NetSupport RAT via PsExec.

One of the early signs of the attack was a suspicious VBS script named “gatheringNetworkInfo.vbs” running NetSupport RAT from the %windir%\system32 path on the Domain Controller. NetSupport RAT is known for allowing unauthorized remote access and control over a victim's computer or network, providing attackers with a wide range of capabilities, including remote control, data theft, and surveillance.

Despite the Parallax RAT project being shut down in 2020 by its developers for personal reasons, the malware has been cracked and is now freely available in the wild. It employs RC4 encryption to obscure the names of loaded DLL libraries and its configuration, along with unconditional jump instructions as an anti-disassembly technique. These features make it a potent tool for cybercriminals and a significant security threat​

IoC

HOSTNAME

  • websyncapi.eu
  • websyncapi.click
  • startus2.com
  • startus1.com
  • fortionlinevpn.com
  • apipkg.click

IPv4

  • 104.194.222.123

MD5

  • 9a82d1499ef3649d2603780fe30db0b5
  • 06a27959b25a8ea9196ffb72200e94aa

REFERENCES

  • https://www.esentire.com/blog/unveiling-parallax-rat-a-journey-from-infection-to-lateral-movement
  • https://otx.alienvault.com/pulse/6564bdc3ca670f9b0d224d84

TAGS

Parallax RAT, NetSupport RAT


at
Labels: ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

En el contexto creciente de convergencia entre sistemas industriales, inteligencia artificial (IA) y digitalización, la gestión del riesgo c...