The clandestine Horus Eyes RAT: From the underground to criminals’ arsenal.

Nowadays, the volume of banking trojans have increased both in number and sophistication with criminals bringing more and more potent cyberweapons from the underground as a way of equipping their malicious arsenal. This kind of phenomenon is precisely connected to the criminals’ mindset: cause less noise, keep threats in the wild for as long as possible, and thereby impacting users on a large scale.

 

Overview

In this article, we are writing about a newly discovered trojan banker called “warsaw” by its developers from Latin America. Developed in .NET and using the recent and undercover HorusEyes RAT to fully compromise victims’ machines, this is the first time a threat is using this RAT during its operation.

The warsaw trojan banker built-in .NET uses the first stage to lure the victim to install the 2nd stage on their machine. Then, the second binary – a customized version of the Horus Eyes RAT – creates persistence, collects some details about the infected machines such as computer name, username, OS version, CPU/architecture, and Language, and uses a mechanism of capturing details from opened foreground windows matching its name with a specific hardcoded string. Finally, all the data is sent to the criminals’ side through a Telegram bot/channel.

Since this malware is a custom development of Horus Eyes RAT, it inherits the entire RAT engine. In detail, criminals use a ngrok TCP tunnel hosted on AWS EC2 instance to establish communication with victims’ machines.

Horus Eyes RAT is the name of the recent upgrade of an old RAT called SpyBoxRat, which comes from underground forums. It was released in the wild on GitHub by its developer in 2021. The criminals behind the warsaw trojan banker are taking advantage of this RAT to allegedly control the victims’ computers after the initial infection.

Figure 1: High-level diagram of the usage of Horus Eyes RAT in the warsaw banking trojan and its modus operandi.

 

Key findings

    • Warsaw trojan banker tries to trick victims into proceeding with the infection chain using an overlay window from a popular bank.
    • The loader (2nd stage) – a customized version of the Horus Eyes RAT –  is downloaded and it creates persistence via the Windows registry and scans the machine for sensitive files, juicy data, running processes, Windows Certificate Store, and so on.
    • Foreground windows are captured and matched with substring “santander”.
    • Details are sent to a Telegram channel under criminals’ control.
    • Horus Eyes RAT is installed in the background during the banking trojan execution, and it connects back to the criminals’ side via a ngrok TCP URL also hardcoded inside the trojan binary.

 

Threat analysis in-depth

In this section, we are going through the details of this threat, analyzing step-by-step this banking trojan, how it operates, what kind of data is exfiltrated, and later learn about the Horus Eyes RAT – the cyber weapon used by warsaw developers to fully compromise the victims’ machines.

 

Warsaw trojan banker – the 1st stage


Filename: SantanderModulo.exe / warsaw-19-07-2021.exe
MD5: C396FCD76492FD9CC11E622B6C432412
Creation date: 16-02-2021


The first alert on this banking trojan was triggered by the 0xSI_f33d engine agents that reported a new and suspicious domain. After interacting with the domain, a new PE file is downloaded in a form of an EXE. During this investigation, we cannot understand how this threat was operated, or even if it was spread by malware operators.

Figure 2: Download of the trojan banker 1st stage from the Internet.

 

By looking at the whois registry, we can learn the domain was created two days before the 0xSI_f33d detection. At the first glance, criminals were preparing a new malware wave and using that domain to downloaded additional malware stages.

modoseguranca.]com
Creation Date: 2021-07-29T18:03:43Z
Updated Date: 2021-07-29T18:03:47Z | 2021-07-29T20:03:50Z
45.132.242.]60

 

The URL is hardcoded inside the binary with the full path to the 2nd stage (loader.exe / stub.exe). Also, the full path of the PDB file; an interesting artifact for tracking and learning about criminals’ movements, telemetry, their activities, and how the threat is disseminated; was found. Notice that, at the moment we analyzed the sample, only 2 AV engines classified this 1st stage as malicious (details based on the VirusTotal).

Figure 3: VirusTotal detection, hardcoded URL (2nd stage), and path of the PDB file.

 

Going into the details

As present in Figure 4, we can observe the internal name of this trojan “warsaw”, and some details such as the Assembly version, Target framework, and the initial entry point.

Figure 4: Details about the 1st stage of warsaw banking trojan.

 

By analyzing the trojan source code, we can notice the interesting routine is inside button1. In short, the 2nd stage is downloaded into the “AppData/Local/Temp” folder, executed in runtime, and a message is presented as a way of informing the victim that the process was successfully completed.

Figure 5: Download of the 2nd stage of the warsaw banking trojan into the AppData/Local/Temp folder.

 

Then, the malware obtains the “Environment.SpecialFolder.LocalApplicationData” folder from the victim’s machine and downloads the warsaw 2nd stage into it and executes it.

 

Figure 6: 2nd stage download into the AppData/Local/Temp folder and executed.

 

The GUI behind the process previously described is simple and presented by the following .NET bait window.

Figure 7: GUI of the 1st stage of warsaw banking trojan in order to lure the victims to execute the malware.

 

Warsan trojan banker – the 2nd stage && RAT 


Filename: Stub.exe / loader.exe
MD5: 8DF8BD1A1062E051AD3092BF58E69400
CPU: x64


The 2nd stage of the warsaw banking trojan is an upgrade of the Horus Eyes RAT source code. Since the RAT source code is now available on GitHub, criminals can get it and introduce new functionalities and TTPs in order to improve their malicious arsenal.

The new features implemented in this customized version are:

    • A registry key on CurrentVersion/Run entry in order to auto-exec the trojan at the OS startup.
    • Implementation of a notification mechanism via Telegram to inform criminals when the victims’ are accessing or navigating on a target bank portal.
    • After that, criminals use the full capabilities of the RAT to gain full control over the victims’ machines.

 

By analyzing the binary, we understand that some resources were embedded and probably they could be implanted in runtime during the trojan execution (Horus Eyes RAT binaries hardcoded in the left-side below). On the right side, all the available routines that come from the original RAT with other ones developed by criminals.

Figure 8: Big picture of the warsaw trojan based on the Horus Eyes RAT.

 

In order to confirm the origin of the warsaw trojan, we found the moment the resource files were loaded into the memory via Assembly Reflection. The name of the injected file is options.dll”, part of modus operandi and dependencies of the Horus Eyes RAT.

https://github.com/arsium/HorusEyesRat_Public/blob/master/Options/obj/Release/Options.dll

Figure 9: Hardcoded resource dumped from memory (Options.dll) during the trojan runtime.

 

By comparing the extracted file named “r1.bin“, and the original file “Options.dll” downloaded from the GitHub page, we can prove that we are facing an upgrade of the Horus Eyes RAT; only the PDB path seems different between the files analyzed below.  More, 131 well-formatted strings were detected in both files.

Figure 10: Comparison between the extracted DLL and the original RAT DLL.

 

Matching warsaw with the Horus Eyes RAT available on GitHub

As a way of matching the differences between the original RAT available on GitHub and this newly improved version, we downloaded the original version and compared both.

Figure 11: Horus Eyes RAT – released on 26th Feb. 2021.

 

As a start point, we compiled the RAT client and compared it with the warsaw version customized by the criminals. The next images present the similarities between the two versions, including the same sections, internal name, file version, and binary strings.

Figure 12:  Similarities between warsaw and the original RAT version.

 

During this analysis, it was possible to understand the resources are the same, and just specific routines were added to basically introduce the Telegram feature and the creation of the registry key to maintain the trojan persistence.

In short, the main changes introduced by criminals are:

    • Telegram notification mechanism implemented on the “Check()” and “Main()” routines; and
    • Creation of the “doSubmitHTTPRequest()” routine to perform the HTTP GET request to the Telegram API with the victims’ data.

 

Figure 13: Big picture of the loader.exe (warsaw) and the original RAT client (Stub.exe).

 

As described, the “Main()” routine introduces a block of code responsible for mantain communication with the Telegram API to inform criminals about a new infection. The improvement can be observed below (left-side).

Figure 14: Telegram feature added in order to inform criminals about new infections.

 

The block of the code of the routine “doSubmitHTTPRequest()” is responsible for sending the details to the Telegram bot/channel also presented below.

Figure 15: Block of code responsible for sending the victim’s details to the Telegram bot/channel under the criminals’ operation.

 

In detail, we can see that at the moment the “Check()” function is executed, an entry is added to the Windows registry in order to create the trojan persistence and the victim activity is then monitored in a loop. When the match with a hardcoded substring happens, some information is collected and sent to the Telegram bot/channel. This activity allows to generate an alert on the criminals’ operation, and after that, they can use the full capabilities of the Horus Eyes RAT now installed on the victims’ machines to fully compromise their banking accounts.

Figure 16: The trojan adds a key on the Windows registry, monitoring the victim’s activity and send data via Telegram API to criminals.

 

The trojan collects some information about the machine, including:

    • Computer name
    • Windows Version
    • Current region + Language
    • Name of the target bank portal
    • Get user privileges (normal user or administrator)
    • Check the system architecture (x86 or x64).

 

Figure 17: Information collected during the trojan execution.

 

The collected information is compiled in a string array and then sent to the Telegram channel through the doSubmitHTTPRequest() routine as observed below.

Figure 18: Information sent to the Telegram channel in runtime.

 

Taking advantage of the Telegram API, we got some interesting details in order to potentially track the criminals behind this malicious schema. As noted, 349 messages were sent to the Telegram channel before, potentially representing 349 infections.

Another interesting detail is the username of the Telegram bot “Banking171Bot”. Banking171 was the name used by criminals to create the telegram bot.

Figure 19: Details about the Telegram bot and channel used by criminals.

 

Curiously in a past campaign detected in December 2020 and called ANUBIS network, we identified a big banking schema from Brazil using the number “171” as suffix (Anubis171). We don’t know if this could potentially be an indicator related to the same group, but the two criminals groups are from the same geolocation: Brazil.

The name of the Telegram group is “KL – LOGS“, and it is a way of notifying criminals about new infections as presented below. After that, they can fully compromise the victims taking advantage of the capabilities of the Horus Eyes RAT.

Figure 20: Victims’ details sent to the Telegram group.

 

Remote access using RAT capabilities

After receiving a notification about a new infection, criminals use the Horus Eyes RAT capabilities to access remotely and get full control over the victims’ machines. As observed in Figure 21, the IP address and port of the Horus Eyes RAT are hardcoded on the binary file and hosted on an AWS EC2 instance geolocated in Brazil.

Figure 21: Identification of the IP address and port of the RAT server hosted on an AWS EC2 instance.

 

In order to confirm if the server was online at the moment of the analysis, we communicate with it and receive a very interesting response 😉

Figure 22: Checking connectivity with the RAT server.

 

These were definitely good news 😀 With some tricks in place and …

 

As mentioned earlier, the RAT server is used to get control over the victims’ machines, installing additional payloads, get passwords from popular web-browsers, accessing the file system, getting a remote desktop screen shoot, and so on. To do this, criminals only cross-reference the data received by Telegram with the details present in the RAT server dashboard (the new infected clients).

Figure 23: Dashboard of the Horus Eyes RAT server and remote control over the victim’s machine.

 

Web server – telemetry details 

According to the VirusTotal service, a lot of domains have been hosted on the same server during 2021, and many of them were also flagged as malicious. This is a clear sign this AWS EC2 instance have been used by criminals to distribute malware schemas in the wild around the globe.

Figure 24: Details about the DNS passive replication, communication files, and SSL certificates provided by VirusTotal.

 

In addition, other threats were also disseminated and operated by this gangue such as VanillaRAT. Thanks to @JAMESWT_MHT who provided these samples from the Malware bazaar.

Vanilla sample Other sample

h/t: @JAMESWT_MHT 

 

 

The storyline behind Horus Eyes RAT

Arsium is the author of the Horus Eyes RAT and others offensive software that he has been developed and shared on the underground Internet forums. This piece of software was released on GitHub in early 2021 by its author, and now criminals are taking advantage of its features and FUD (Fully Undetectable) capability to bypass security mechanisms such as EDR’s and antivirus and also circumvent network-based solutions.

Figure 25: Source code of Horus Eyes RAT available on GitHub.

 

However, Horus Eyes RAT is not the first software Arsium has developed. This RAT is the successor to the old SPYBOXRAT – which Arsium released in the year 2020 in underground forums.

Figure 26: SPYBOXRAT released in 2020 – the Horus Eyes RAT predecessor.

 

By making this offensive software open-souce, Arsium gained enormous and valuable input from the underground community, which allowed it to continue to develop and implement new features thus making it a potent silent weapon.

Sometime around December 2020, Arsium seems to have decided to create a new release called Horus Eyes RAT. This new software has been equipped with the basic engine of its predecessor and now with all the new features that have been implemented as a result of community feedback.

Figure 27: SpyBoxRat announced as an outdated version – the turning point.

 

At the end of December 2020, we found the first official publication from Arsium, where the first Horus Eyes RAT update was announced. At the time, the software was not open source and the community had to pay some credits to get it.

Figure 28: First update of the Horus Eyes RAT aka HE-RAT by its developer.

 

As stated by Arsium, “for those who have forked starred the project , I’ve destroyed previous github and made a new repository (I got some problems with the old” – and this is the clear sign this tool has had a huge contribution from the underground community during its development. Figure 29 below presents one of the contributions/new ideas we found.

Figure 29: New ideas and improvements from the underground community to the development of the Horus Eyes RAT.

 

From that point forward, Horus Eyes RAT was carefully tracked by criminal groups, due to the set of capabilities the software provided, and the ability to bypass security mechanisms making it very stealthy and FUD.

Later, on 26th February 2021, the RAT was open-source and then released on GitHub. The publication date on GitHub coincides with the third update of the offensive tool that its author announced on the same day on the underground forums.

Figure 30: Third updated of Horus Eyes RAT and its release on GitHub.

 

We believe this was the moment criminals start looking at this RAT as a potential candidate for upgrading their cyber arsenal. The RAT came up with an amazing set of features that would fit neatly into the malicious goals of most cyber gangs. Some of the features announced by the RAT creator are:

    • Supports DNS (No-IP for example)
    • Multi-Threaded
    • Asynchronous
    • Packets Serialization
    • Multi Ports Listener
    • Automation Tasks when client is connected
    • Save Settings for automation tasks
    • Blur ScreenLocker
    • Monitor Rotation (0 , 90 , 180 , 270 degrees)
    • Hide & Show Taskbar
    • Hide & Show Desktop Icons
    • Hide & Show Cursor
    • Swap & Normal State Mouse Buttons
    • Lock & Unlock Keyboard
    • Empty Bin
    • Native Injection : You can inject an unmanaged DLL (C++ , C , D…)
    • 32 & 64 bit stubs
    • Mass Tasks: Passwords Recovery , History Recovery , Wifi Passwords Recovery
    • Tasks Manager : Kill , Resume , Pause
    • Passwords Recovery (+35 web browsers based on chromium)
    • History Recovery (+35 web browsers based on chromium)
    • Wifi Passwords Recovery
    • Power : Log out , Reboot , Shutdown , Hibernate , Suspend
    • BSOD
    • Increase Volume
    • Decrease Volume
    • Mute | Unmute Volume
    • Save all passwords | history recovered
    • Export History | Passwords as .csv file
    • Installation : Set a task in TaskScheduler | Hidden from startup + copy file in local user path hidden
    • Ability to change your client priority
    • Ability to ask for privileges
    • Check UAC at different levels (if enable or not)
    • File Manager : Create Directory, Open File, Delete File, Move File To Bin, Download File

 

Although Arsium, the creator of this offensive software, made it clear on Youtube that the purpose of this type of software is only for educational purposes, the RAT now appears associated with a new banking trojan.

Figure 31: Security disclaimer on Youtube by the Horus Eyes RAT author.

 

 

Final Thoughts

Nowadays, we are facing a growing of Brazilian trojans at a very high speed. Each one of them with its peculiarities, TTPs, etc. The technique of embedding other binaries in the initial stage is not new, however, the use of this new RAT called Horus Eyes RAT was the main object of analysis of this article.

With this kind of mindset and bringing content and tools from underground forums, criminal gangues achieve one of their main goals: to avoid detection and impact a large number of users.

Although the author of the RAT had just educational intentions, the source code of the RAT left now into the criminals’ tentacles. It was the first time it was found, at least, being disseminated along with a malicious threat like this new trojan impacting only users of a singular international bank.

Therefore, monitoring these types of IoCs is a crucial point now, as it is expected that in the coming weeks or months new variants based on this new RAT can appear.

 

Thank you to all who have contributed:

@JAMESWT_MHT 

 

Mitre Att&ck Matrix

 

Indicators of Compromise (IOCs)

---- Online server with warsaw stages --------
hxxps://modoseguranca.c]om/loader.exe
hxxps://modoseguranca.]com/warsaw-19-07-2021.exe
45.132.242.]60
8DF8BD1A1062E051AD3092BF58E69400
C396FCD76492FD9CC11E622B6C432412

----- AWS EC2 Instance RAT server ------
ec2-54-94-248-37.sa-east-1.compute.amazonaws.]com
54.94.248.]37
1.tcp.sa.ngrok.]io

------ Artifacts --------------
C:\Users\xxx\AppData\Local\Temp\warsaw-19-07-2021.exe
schtasks /create /sc minute /mo 1 /tn "||" /tr "
costura.packetlib.pdb.compressed
costura.packetlib.dll.compressed
costura.options.dll.compressed
======= Nova vitima ========

------ PDB paths ------------
C:\Users\ada\Desktop\HorusEyesRat_Public-master\Options\obj\Debug\Options.pdb
C:\Users\ada\Desktop\definitivo\bb\Client\obj\x64\Debug\Stub.pdb
C:\Users\ada\source\repos\SantanderModulo\SantanderModulo\obj\Debug\SantanderModulo.pdb


 

Online Sandbox URLs

https://cuckoo.cert.ee/analysis/2343055/summary/
https://www.joesandbox.com/analysis/458211/0/html
https://app.any.run/tasks/462fa847-4694-4a59-9d1c-6f43854b10b1
https://analyze.intezer.com/analyses/f5bd885b-5d26-4ed4-914e-93d04729783a
https://analyze.intezer.com/analyses/12140b0a-47d5-4d52-a659-a826b2aedb26

Samples
https://bazaar.abuse.ch/browse/tag/SantanderModulo/

 

Yara Rule

import "pe"
rule warsaw_downloader_august_2021 {
meta:
    description = "Yara rule for warsaw trojan banker (loader) - August version"
    author = "SI-LAB - https://seguranca-informatica.pt"
    last_updated = "2021-08-05"
    tlp = "white"
    category = "informational"
    
    strings:
    $s_a = {53 61 6E 74 61 6E 64 65 72 4D 6F 64 75 6C 6F 2E 77 61 72 73 61 77}
    $s_b = {53 61 6E 74 61 6E 64 65 72 4D 6F 64 75 6C 6F 5C 53 61 6E 74 61 6E 64 65 72 4D 6F 64 75 6C 6F 5C 6F 62 6A 5C 44 65 62 75 67 5C 53 61 6E 74 61 6E 64 65 72 4D 6F 64 75 6C 6F 2E 70 64 62}
    condition:
        filesize < 1000KB
        and all of ($s_*)
}


rule warsaw_2nd_stage_horus_eyes_rat_august_2021 {
meta:
    description = "Yara rule for warsaw 2nd stage aka Horus Eyes RAT - August version"
    author = "SI-LAB - https://seguranca-informatica.pt"
    last_updated = "2021-08-05"
    tlp = "white"
    category = "informational"
    
    strings:
    $s_a = {63 6F 73 74 75 72 61 2E 64 6C 6C 2E 63 6F 6D 70 72 65 73 73 65 64}
    $s_b = {63 6F 73 74 75 72 61 2E 6F 70 74 69 6F 6E 73 2E 64 6C 6C 2E 63 6F 6D 70 72 65 73 73 65 64}
    $s_c = {53 00 61 00 6E 00 74 00 61 00 6E 00 64 00 65 00 72}
    $s_d = {2D 00 35 00 30 00 37 00 30 00 37 00 35 00 33 00 35 00 33 00}
    condition:
        filesize < 1000KB
        and all of ($s_*)
}

The Yara rules are also available on GitHub.