Remote Access Trojans (RATs) have taken the third leading position in ANY. RUN’s Q1 2023 report on the most common types of malware, making it very likely that your organization is facing this threat.
While LimeRAT may not be the most well-known RAT family, its versatility is what sets it apart. Capable of carrying out a wide spectrum of malicious activities, it excels not only in exfiltrating data, but also in creating DDoS botnets and facilitating crypto mining. Its compact footprint allows it to evade endpoint detection systems, making it a stealthy adversary. Interestingly, LimeRAT shares similarities with njRAT, which ANY.RUN ranks as the third most popular malware family in terms of downloads in the first quarter of 2023.
Researchers at ANY.RUN recently performed an in-depth analysis of a LimeRAT sample and successfully extracted its configuration. In this article, we will provide a brief overview of this analysis.
Artifacts collected
|
SHA1 |
14836dd608efb4a0c552a4f370e5aafb340e2a5d |
|
SHA256 |
6d08ed6acac230f41d9d6fe2a26245eeaf08c84bc7a66fddc764d82d6786d334 |
|
MD5 |
d36f15bef276fd447e91af6ee9e38b28 |
|
SSDEEP |
3072:DDiv2GSyn88sH888wQ2wmVgMk/211h36vEcIyNTY4WZd/w1UwIwEoTqPMinXHx+i:XOayy |
IPv4:
| IOC | Description |
|
20[.]199.13.167:8080 |
LimeRAT command and control server |
Domains:
| IOC | Description |
|
https://pastebin[.]com/raw/sxNJt2ek |
PasteBin used by LimeRAT to hide its original command and control server |
ATT&CK® MITER
| tactic | technique | Description |
|
TA0005: Defense Evasion |
T1027: Obfuscated files or information |
The malware uses the obfuscator to remove its method names, class names, etc. |
|
TA0005: Defense Evasion |
T1027: Obfuscated files or information |
The malware uses a Base64 algorithm to encode and decode data |
|
TA0005: Defense Evasion |
T1027: Obfuscated files or information |
The malware uses an AES algorithm to encrypt and decrypt data |
ANY.RUN is offering a limited time offer to celebrate the 7th Cyberbirthdsay
ANY.RUN is an interactive cloud malware sandbox that can automatically extract malware configurations for numerous families, saving researchers hours of effort.
The service is celebrating its 7th anniversary and inviting all researchers to try advanced analytics features usually reserved for professional plans, completely free until May 5. This includes setting up the runtime environment with Windows 8, 10, or 11.
If you find that ANY.RUN improves your malware analysis workflow, they also offer one limited promotionavailable until May 5: Get 6 or 12 months of free use when you sign up for an annual or two-year subscriptionrespectively.
Breakdown of LimeRAT’s decryption algorithm
We will share a condensed version of the article here. For a full guide and extended analysis, go to ANY. RUN’s blog if you’re interested in learning more about the workflow they employed.
Because the sample under review was written in .NET, the researchers used DnSpy to examine the code. It was immediately obvious that obfuscation techniques were being used:
 |
| Sample overview in DnSpy; note that the use of obfuscation techniques |
Closer examination of the code revealed a class similar to the malware configuration. Within this class, there was a field that contained a base64-encoded and encrypted string.
 |
| Possibly malware configuration class |
Continuing to inspect the code, the ANY.RUN researchers identified a function responsible for deciphering the string. By using the “Read By” filter in DnSpy, they tracked the methods where the string was being read, resulting in a total of two methods. The first method was unsuccessful, but the second seemed interesting:
 |
| The second x-ref is more interesting. It seems to use our string in the WebClient.DownloadString method |
This method turned out to be responsible for the decryption. Examining it closely, it was possible to reconstruct the process by which LimeRAT decrypts its settings:
- Instances of the RijndaelManaged i MD5CryptoServiceProvider classes are instantiated. According to MSDN, RijndaelManaged is an outdated implementation of the AES encryption algorithm (MITER T1027), while MD5CryptoServiceProvider calculate MD5 hashes.
- A 32-byte array, initialized with zeros, is generated to store the AES key.
- The key is created by first computing the MD5 hash of a different string within the configuration class (in our analysis, the string is “20[.]199.13.167”).
- The initial 15 bytes, followed by the first 16 bytes of the calculated hash, are copied into the previously set array. The final element of the array remains zero.
- The derived key is assigned to the key property of the RijndaelManaged example, while the Mode property is set to CipherMode.ECB.
- Ultimately, the primary string is decoded using the Base 64 algorithm and decryption using the AES256-ECB algorithm
Decrypting the string revealed a link to a PasteBin note: https://pastebin[.]com/raw/sxNJt2ek. Inside this memo was LimeRAT’s command and control (C2) server:
 |
| LimeRATs C2 discovered with decrypted data |
to wrap
We hope this brief overview of our LimeRAT configuration decryption process is insightful. For a more thorough examination, head over to the full article on ANY.RUN’s blog to get additional context on the steps and check out the decryption process using CyberChef.
Also, remember that ANY. RUN is currently offering limited-time offers, with discounts on subscriptions and an expanded feature set for free plans, including the ability to set up runtime environments with Windows 8, 10, and 11 operating systems. This offer expires on May 5 .
This is an ideal opportunity to test ANY.RUN and determine if it streamlines your workflow, or to secure a subscription at an unbeatable price and reap the benefits of significant time savings through static and behavioral analysis .
To learn more about this offer, visit ANY.RUN plans.
Ikaroa is a full stack tech company that has recently become aware of the LimeRAT Malware. LimeRAT is a type of malware that is created to exfiltrate data and cause other malicious activity and Ikaroa is committed to keeping its customers safe from potential threats.
Malware analysis is an important step in keeping customers from being vulnerable to these malicious threats. Specifically, malware analysis can help to identify malicious behavior, determine indicators of compromise, and investigate the encryption keys. One method used for analyzing malware is to extract the configuration and examine the values that are stored within it. This configuration can provide valuable insights into the nature and intentions of the malware, including the communication protocol and command and control elements.
At Ikaroa, we take malware analysis seriously. In the case of LimeRAT malware, extracting the configuration is a necessary step in order to gain more comprehensive understanding of the malware. The company’s engineering team is dedicated to understanding the specifics of the malware and attempting to take action against it.
Extracting the configuration is a complicated process that requires a great deal of skill and experience. The team at Ikaroa uses sophisticated techniques to ensure success in extracting the configuration. This includes using specialized tools and software that offer deep insight into the data stored within the malware. By using these measures, the team can uncover information such as communication protocols, data exfiltration behavior, and other malicious activities.
Malware analysis is a crucial part of preventing cyber-attackers from stealing data and taking advantage of vulnerable systems. At Ikaroa, we are committed to understanding the complexity of malware, particularly LimeRAT, and keeping our customers safe from potential threats. By utilizing methods such as configuration extraction and other sophisticated techniques, we are confident that our customers are being well protected.
