Introducing a new remote access tool (RAT) I recently discovered:
https://platform.twitter.com/embed/Tweet.html?dnt=false&embedId=twitter-widget-1&features=eyJ0ZndfdGltZWxpbmVfbGlzdCI6eyJidWNrZXQiOltdLCJ2ZXJzaW9uIjpudWxsfSwidGZ3X2ZvbGxvd2VyX2NvdW50X3N1bnNldCI6eyJidWNrZXQiOnRydWUsInZlcnNpb24iOm51bGx9LCJ0ZndfdHdlZXRfZWRpdF9iYWNrZW5kIjp7ImJ1Y2tldCI6Im9uIiwidmVyc2lvbiI6bnVsbH0sInRmd19yZWZzcmNfc2Vzc2lvbiI6eyJidWNrZXQiOiJvbiIsInZlcnNpb24iOm51bGx9LCJ0ZndfZm9zbnJfc29mdF9pbnRlcnZlbnRpb25zX2VuYWJsZWQiOnsiYnVja2V0Ijoib24iLCJ2ZXJzaW9uIjpudWxsfSwidGZ3X21peGVkX21lZGlhXzE1ODk3Ijp7ImJ1Y2tldCI6InRyZWF0bWVudCIsInZlcnNpb24iOm51bGx9LCJ0ZndfZXhwZXJpbWVudHNfY29va2llX2V4cGlyYXRpb24iOnsiYnVja2V0IjoxMjA5NjAwLCJ2ZXJzaW9uIjpudWxsfSwidGZ3X3Nob3dfYmlyZHdhdGNoX3Bpdm90c19lbmFibGVkIjp7ImJ1Y2tldCI6Im9uIiwidmVyc2lvbiI6bnVsbH0sInRmd19kdXBsaWNhdGVfc2NyaWJlc190b19zZXR0aW5ncyI6eyJidWNrZXQiOiJvbiIsInZlcnNpb24iOm51bGx9LCJ0ZndfdXNlX3Byb2ZpbGVfaW1hZ2Vfc2hhcGVfZW5hYmxlZCI6eyJidWNrZXQiOiJvbiIsInZlcnNpb24iOm51bGx9LCJ0ZndfdmlkZW9faGxzX2R5bmFtaWNfbWFuaWZlc3RzXzE1MDgyIjp7ImJ1Y2tldCI6InRydWVfYml0cmF0ZSIsInZlcnNpb24iOm51bGx9LCJ0ZndfbGVnYWN5X3RpbWVsaW5lX3N1bnNldCI6eyJidWNrZXQiOnRydWUsInZlcnNpb24iOm51bGx9LCJ0ZndfdHdlZXRfZWRpdF9mcm9udGVuZCI6eyJidWNrZXQiOiJvbiIsInZlcnNpb24iOm51bGx9fQ%3D%3D&frame=false&hideCard=false&hideThread=false&id=1266075994517110784&lang=en-gb&origin=https%3A%2F%2Fblog.bushidotoken.net%2F2020%2F05%2Fozh-rat-new-net-malware.html&sessionId=950a8aa61de09bc203815fccbcda8d6240fe657d&theme=light&widgetsVersion=2615f7e52b7e0%3A1702314776716&width=550px
Malpedia link: https://malpedia.caad.fkie.fraunhofer.de/details/win.ozh_rat
IOCs in my OTX feed for this threat have been attached here.
More info:
Florian Roth’s THOR APT Scanner picked it up early on:
Windows Forms & System Configuration checks:
OZH RAT is a new malware as far as I can tell. I would be very much interested if another security researcher is able to investigate or share samples of OZH RAT for further malware analysis.
Updated – 2nd June 2020:
I recently discovered the OZH RAT #crimware website, which is written in Turkish. The #malware has an exceptionally low detection rating on VirusTotal with only two of 72 antivirus engines detecting it as malicious.
More IOCs for OZH RAT: https://t.co/22kZU7RGhz https://t.co/79RjZ2Tac2 pic.twitter.com/irev8Fl4zI— Will | BushidoToken 👁🗨 (@BushidoToken) June 2, 2020
The key features of the OZH RAT from the website include:
– Live Screen Monitoring
– Command-line access (cmd, PowerShell)
– Lock computer screen
– Shutdown/Reboot
– Message Alert box
– Find geo-location
– Clone system
– Control Panel notification when the infected device is turned on
– FTP communication
YARA:https://carbon.now.sh/embed?bg=rgba(171%2C%20184%2C%20195%2C%201)&t=seti&wt=none&l=auto&ds=true&dsyoff=20px&dsblur=68px&wc=true&wa=true&pv=56px&ph=56px&ln=false&fl=1&fm=Hack&fs=14px&lh=133%25&si=false&es=2x&wm=false&code=%2520%2520%250A%252F*%250A%2509Yara%2520Rule%2520Set%250A%2509Author%253A%2520%2540BushidoToken%250A%2509Date%253A%25202020-06-05%250A%2509Identifier%253A%2520OZH%2520RAT%250A*%252F%250A%250Arule%2520OZH_RAT%2520%250A%257B%250A%250A%2520%2520%2520%2520meta%253A%250A%2520%2520%2520%2520%2520%2520%2520%2520description%2520%253D%2520%2522Detects%2520OZH%2520RAT%2522%250A%2520%2520%2520%2520%2520%2520%2520%2520author%2520%253D%2520%2522%2540BushidoToken%2522%250A%2520%2520%2520%2520%2520%2520%2520%2520reference%2520%253D%2520%2522https%253A%252F%252Fblog.bushidotoken.net%252F2020%252F05%252Fozh-rat-new-net-malware.html%2522%250A%2520%2520%2520%2520%2520%2520%2520%2520date%2520%253D%2520%25222020-06-05%2522%250A%2520%2520%2520%2520%2520%2520%2520%2520hash1%2520%253D%2520%252215f39214b98241e7294b77d26e374e103b85ef1f189fb3ab162bda4b3423dd6c%2522%250A%2520%2520%2520%2520%2520%2520%2520%2520hash2%2520%253D%2520%2522b2ba16bcd7cb9a884f52420b1e025fc2af2610cf4324847366cc9c45e79c61c1%2522%250A%250A%2520%2520%2520%2520strings%253A%250A%2520%2520%2520%2520%2520%2520%2520%2520%2524a%2520%253D%2520%2522OzhSecSys.My%2522%2520nocase%250A%2520%2520%2520%2520%2520%2520%2520%2520%2524b%2520%253D%2520%2522OzhSecSys.My.Resources%2522%2520nocase%250A%2509%2524c%2520%253D%2520%2522OzhSecSys.pdb%2522%2520nocase%250A%2520%2520%2520%2520%2520%2520%2520%2520%250A%2520%2520%2520%2520condition%253A%250A%2520%2520%2520%2520%2520%2520%2520any%2520of%2520them%250A%257D