Cyble-ApolloRat-Nuitka

ApolloRat: Evasive Malware Compiled using Nuitka

RAT Leveraging Discord as Command-and-Control Server

Cyble Research Labs discovered a new Remote Access Trojan (RAT) dubbed ApolloRAT. The RAT is written in Python and uses Discord as its Command and Control (C&C) Server. The TAs are selling this RAT for $15 on Telegram and their site, as shown in Figure 1.

In a video demonstration, a TA used Nuitka, a source-to-source compiler that compiles Python code to C source code. There are widely adopted compilers for Python, such as PyInstaller and Py2exe but Nuitka, a less frequently adopted compiler, has the edge over them in terms of the compiled file size created and complexity to reverse engineer, making ApolloRAT far more capable.

Compared to C/C++, Python is much easier to use and has a huge library collection making it an attractive choice for malware developers. In terms of performance, however, it might not have that edge, and as Python is an interpreted language, it needs to be installed before executing scripts. These issues are usually resolved by using Python compilers which can be used to create standalone executables.

Our observations indicate that ApolloRAT is at an initial stage of its development. Though we have not witnessed many samples present in the wild, based on the price and ease of use, we might suspect it to be used in multiple attack scenarios.

Figure 1 – Threat Actors’ Site

Figure 2 displays the TA’s Telegram channel used for selling the RAT.

Figure 2 – Telegram Channel

TA claimed that the RAT has following features:

VM detection                                 Screenshot                                     Shell access

Av disable                                       Firewall disable                             Speak

Rickroll                                            Redirect                                          Fake PDF

Fake GUI                                         Steal Chrome passwords              Upload file

Download file                                 Get IP                                              Disable taskmgr

Shutdown                                       Reboot                                            Startup

Messagebox                                   Bluescreen                                     Selfdestruct

Functionality

The TA initially mentions the Discord bot token in the Python script for compiling the payload,  which will further connect to the Discord server for its C&C  communication, as shown below.

Figure 3 – Adding Discord Bot Token

Then TA uses Nuitka to compile the file. The Nuitka command is executed with parameters such as –OneFile, –standalone, which will create a single executable file and can be executed on other machines without Python installation. These commands will increase the size of the executable and will also complicate the analysis process. This compiled file acts as a client in the victim’s machines and communicates with the C&C Discord server. Using legitimate applications like Discord for malicious activities further aids the malware in being evasive.

Using the C&C server, the TA can execute various commands on the victim’s system after compromising it. The “>detectVM” command can be used to check if the RAT is executing in a virtual environment, as shown in Figure 4.

Figure 4 – VM Detection Command

Using the “>ip” command, TAs can identify their victim’s IP addresses.

Figure 5 – Victim’s IP

Figure 6 shows the “>speak” command being used to display a message on the victim’s system.

Figure 6 – Displaying message on victim’s machine

The “>passwords” commands return a text file containing the plaintext passwords stolen from the victim’s browsers. Figure 7 shows the command used for stealing passwords.

Figure 7 – Stealing Passwords

Similarly, there are other commands which TAs can use for performing malicious activities.

The following commands can be executed by the RAT :

——- Basic commands ——-

  • >commands = Opens the help menu
  • >shutdown = Shutdown victim’s computer
  • >reboot = Reboot victim’s computer
  • >startup = Add RAT to startup
  • >startcmd = Start command prompt can be used as a test
  • >shell = Execute shell command e.g: >shell start chrome.exe
  • >upload = Upload file to victim’s e.g: >upload filename.exe <WITH ATTACHMENT>
  • >download = Download file from victim’s e.g: >download <pathtofile>
  • >nofirewall = Turns off standard windows firewall, needs admin perms!
  • >noAV = Turns off win defender, needs admin perms!

——- Prank ——-

  • >message = Popup a message box on Victim’s PC
  • >bluescreen = Bluscreens, need admin perms!
  • >speak = Talks your desired text loudly to the Victim’s
  • >rickroll = rickrolling victim

—— Details/Survelience ——

  • >detectVM = Detect if victim’s is using a virtual enviroment
  • >screenshot = Takes a screenshot
  • >ip = Get victim’s IP address
  • >details = Basic client details

—— Stealing ——

  • >redirect = Any website redirect that can be used for phishing
  • >passwords = Get user’s saved passwords
  • >wifi = Get known wifi passwords
  • >history = get browser history

—— Danger Zone ——

  • >exit = exits session
  • >SELFDESTRUCT = selfdestructs, deletes everything associeted

Conclusion

ApolloRAT is a new Remote Access Trojan with a broad array of capabilities and leverages a Discord webhook for its C&C communication. Python compilers such as Cython and Nuitka can aid malware to become evasive and might also complicate the reversing process, as the file size is increased drastically during the compilation. In the future, we might witness an increase in the number of ApolloRAT samples present in the wild, as the price of the stealer is relatively low and it has multiple functionalities.

Our Recommendations  

  

  • Avoid downloading pirated software from unverified sites. 
  • Use strong passwords and enforce multi-factor authentication wherever possible.  
  • Keep updating your passwords after certain intervals. 
  • Use a reputed anti-virus and internet security software package on your connected devices, including PC, laptop, and mobile.   
  • Refrain from opening untrusted links and email attachments without first verifying their authenticity.    
  • Block URLs that could be used to spread the malware, e.g., Torrent/Warez.   
  • Monitor the beacon on the network level to block data exfiltration by malware or TAs.   
  • Enable Data Loss Prevention (DLP) Solutions on employees’ systems.

  Indicators of Compromise (IOCs) 

 

Indicators   Indicator type   Description   
1db4f566417ef2dec8218ee0b0fbf682
069eece6f2209672aef8600f15df4bd7ce216a67
e3b6e58f1427d380648f914d32cb69360d93de33c59e01d8f0fa448113e7679
MD5
SHA-1   
SHA-256   
Malicious Binary
f3e758da9d01cd0dfb433478e5eba178
a9751413af2ec02b01359c9722d782b5c3af31d3
0a508f7722b0df4c8291a7cf0469ca7917ea284bfa8a2e84a3550a85d0628320
MD5
SHA-1
SHA-256   
Malicious Binary
Scroll to Top