Summary:

This remote access trojan (RAT) has capabilities ranging from manipulating the registry to opening a reverse shell. From stealing credentials stored in browsers to accessing the victims webcam. Through the Command & Control (CnC) server software, the attacker has capabilities to create and configure the malware to spread utilizing physic devices, such as USB drives, but also to use the victim as a pivot point to gain more access laterally throughout the network.

This remote access trojan could be classified as a variant of the well known njrat, as they share many similar features such as their display style, several abilities and a general template for communication methods . However, where njrat left off KilerRat has taken over. KilerRat is a very feature rich RAT with an active development force that is rapidly gaining in popularity amongst the middle eastern community and the world.

Command and Control Server Features:

Under the Control Tab:

File Manager - Allows the attacker to delete, edit, rename, copy, paste, download, create new folders/files in addition to navigating the file system.

Process Manager - Allows the attacker to list, suspend, resume, kill and kill & delete processes.

Remote Desktop - Allows the attacker to start a Remote Desktop session

Remote Cam - Allows the attacker to obtain access to the victim's system camera and display a live feed

Remote Shell - Opens a reverse shell on the victim, which allows the attacker to input commands directly on the system

Registry - Allows the attacker to manipulate the victim's system registry (create, edit, delete keys and values)

Keylogger - Enables the key logging function on the victim, logs are automatically shipped back to the C&C server.

Get Passwords - Allows the attacker to collect stored passwords in various browsers.

Under the Proxy Tab:

Victim Proxy - Allows the attacker to use the victim as a proxy for network traffic.

Restart Proxy - Restarts the proxy on the selected victim.

Send Msgbox - Allows the attacker to send a pop up text box to the victim.

Under the 'Run File’ Tab:

From Link - Allows the attacker to provide a link to a file and have it executed on the victim’s system.

From Disk - Allows the attacker to upload a file to the victim and have it executed on the victim’s system.

Script - Allows the attacker to create script that is then executed on the victim’s system.

Format System - Allows the attacker to format the victim’s system.

Under the ‘Website’ Tab:

Open Website - Opens a website of the attackers choosing.

Block Website - Blocks a website of the attackers choosing on the victim machine.

DDOS Attack - Performs a DDOS attack on a victim of the attackers choosing.

Open Chat - Opens a chat window on the victims machine.

Spread in Hard Drive

Under the ‘Computer' Tab:

Restart - Restarts the victim’s computer.

Shutdown - Shutdown the victim’s computer.

Under the ‘Server' Tab:

Update - Enables the attacker to update the malware on the victim via upload or a link

Uninstall - Allows the attacker to uninstall the malware.

Restart - Allows the attacker to restart the malware.

Close - May allows the attacker to close the malware

Disconnect - Allows the attacker to sever the connection between them.

Rename - Allows the attacker to rename the malware on the victim’s system.

Open Folder - Opens the local folder on the attackers machine where data collected from the victim’s system is stored.

Builder - Allows the attacker to build malware that will connect back to the server

No-ip - Integrated with no-ip (A Dynamic DNS Service)

Exe to convert jpg - Allows the attacker to convert an exe to a jpg, score, mp3, wav, txt mp4 or flv file.

Builder Features:

Host - Specifies Command and Control server.

Port - Specifies Command and Control server listening port.

Victim Name - Specifies prefix the victims appear with in the portal.

Executable Name - Specifies malware name when it makes a copies itself.

Directory - Specifies which directory to copy the malware to when executed, options include %TEMP%, %AppData%, %User Profile%, and %Program Data%.

MsgBox After Run - Specifies what string to display in a text box after the malware runs successfully for the first time.

USB Spread - Option to spread via USB devices

Protect Process - Option to cause the victim’s system to BSOD if the malware process is killed.

Registry - Prevents the registry from being opened. (Buggy, sometimes you can still get accessS)

Copy StartUp - Option to place the malware in the windows start up

Delete Archives - Option to delete archives

Spread Hard Disk

Anti Taskmgr - This option prevents the Task Manager from being opened on the victim’s computer.

Scheduled Tasks - Add malware into scheduled task (may be buggy)

Short Cut - Creates a short cut when the malware is installed MsgBox After Run - Option to display the MsgBox after installation.

Network Communication:

Like njrat, the infected victims of KilerRat when connecting to the C&C will send information about the victim system, malware version, open windows, etc. See example below:

lv|Kiler|SGFjS2VkX0FFQTg0NUZD|Kiler|RICKBOBBYDOS-PC|Kiler|rickbobbydos|Kiler|2015-11-08|Kiler|USA|Kiler|Win 7 Ultimate SP1 x86|Kiler|Yes|Kiler|4.0.1|Kiler|..|Kiler|QzpcV2luZG93c1xzeXN0ZW0zMlxjbWQuZXhl|Kiler|[endof]

Data Decoded Information SGFjS2VkX0FFQTg0NUZD Base64 encoded data which decodes to HacKed_AEA845FC. HacKed being the specified victim name and AEA845FC being the Volume Serial Number of the victim system. RICKBOBBYDOS-PC Victim Computer Name rickbobbydos Victim User Name 2015-11-08 Date Modified attribute of the malware. This date will match the first time the file is created in the victim system USA Location Win 7 Ultimate SP1 x86 Operating System Information Yes Does the victim have a webcam 4.0.1 Malware Version QzpcV2luZG93c1xzeXN0ZW0zMlxjbWQuZXhl Base64 encoded data which decodes to 'C:Windowssystem32cmd.exe’. This data contains information about what windows are open when the malware executes.

This information check-in is extremely similar to that of many of the njrat variants. With the exception being the data delimiters. Where njrat uses |'|’| KilerRat uses |Kiler| instead. This small change makes many of the existing IDS signatures for njrat ineffective for KilerRat.

inf|Kiler|SGFjS2VkX0FFQTg0NUZD|Kiler|172.16.176.128:6666|Kiler|AppData|Kiler|Trojan.exe|Kiler|Trojan[endof]

This next C&C inf (Information) communication includes ‘Name’ we decode earlier, which includes the specified prefix and the Volume Serial Number of the victim system. It also includes the IP Address:Port of the C&C also which the location and name of the dropped malware, AppData and Trojan.exe. Once again we can see the delimiter used is |Kiler|.

This next C&C communication is the request to open a reverse shell and a simple DIR command.

From the server:

rss[endof]

From the victim after shell is opened:

rs|Kiler|TWljcm9zb2Z0IFdpbmRvd3MgW1ZlcnNpb24gNi4xLjc2MDFd[endof] rs|Kiler|Q29weXJpZ2h0IChjKSAyMDA5IE1pY3Jvc29mdCBDb3Jwb3JhdGlvbi4gIEFsbCByaWdodHMgcmVzZXJ2ZWQu[endof]rs|Kiler|[endof]

Which decodes to: Microsoft Windows [Version 6.1.7601] Copyright (c) 2009 Microsoft Corporation. All rights reserved.

From the server (base64 encoded):

rs|Kiler|ZGly[endof]

Which decodes to ‘dir

From the victim:

rs|Kiler|QzpcVXNlcnNccmlja2JvYmJ5ZG9zXERlc2t0b3A+ZGly[endof]

Which decodes to 'C:Users ickbobbydosDesktop>dir'

From the victim:

IFZvbHVtZSBpbiBkcml2ZSBDIGhhcyBubyBsYWJlbC4=[endof]rs|Kiler|IFZvbHVtZSBTZXJpYWwgTnVtYmVyIGlzIEFFQTgtNDVGQw==[endof]rs|Kiler|[endof]rs|Kiler|IERpcmVjdG9yeSBvZiBDOlxVc2Vyc1xyaWNrYm9iYnlkb3NcRGVza3RvcA==[endof]rs|Kiler|[endof]rs|Kiler|MTEvMDgvMjAxNSAgMDU6NDMgUE0gICAgPERJUj4gICAgICAgICAgLg==[endof]rs|Kiler|MTEvMDgvMjAxNSAgMDU6NDMgUE0gICAgPERJUj4gICAgICAgICAgLi4=[endof]rs|Kiler|MTEvMDgvMjAxNSAgMDU6MjkgUE0gICAgICAgICAgICA0OCw2NDAgUmlja0phbWVzLmV4ZQ==[endof]rs|Kiler|MTEvMDgvMjAxNSAgMDQ6NTQgUE0gICAgICAgICAgICAgICA3NjQgU3RhcnQgVG9yIEJyb3dzZXIubG5r[endof]rs|Kiler|MTEvMDgvMjAxNSAgMDQ6NTQgUE0gICAgPERJUj4gICAgICAgICAgVG9yIEJyb3dzZXI=[endof]rs|Kiler|ICAgICAgICAgICAgICAgMiBGaWxlKHMpICAgICAgICAgNDksNDA0IGJ5dGVz[endof]rs|Kiler|ICAgICAgICAgICAgICAgMyBEaXIocykgIDUyLDM2MSw3NTIsNTc2IGJ5dGVzIGZyZWU=

Which is the base4 encoded dir command output.

Detection:

Even though this RAT is built upon the well known njrat, at the time of testing many antivirus tools had a difficult time detecting around the time of it's release. That being said, there are several ways one could detection a KilerRat infection. One way is utilizing YARA rules for njrat, as many of them trigger on KilerRat due to their shared codebase. Another method is utilizing an IDS with signatures such as this:

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"AV TROJAN njrat viariant (KilerRat v4.0.1) CnC Command (Remote Shell)"; flow:from_server,established; content:"rs|7c 4b 69 6c 65 72 7c|"; fast_pattern; reference:md5,51409b4216065c530a94cd7a5687c0d6; classtype:trojan-activity; sid:4000010; rev:1;)

Community:

The identity of the person taking credit for the development and maintenance of KilerRat is shown in the ‘About’ page on the C&C control panel, which also confirms our suspicions that it is built upon njrat:

The Facebook page listed in the above photo is quite active, with users commenting about bugs they've encountered and requesting features they would like to see in addition to thanking the developer. The forum www.dev-point[.]com has an active community around this RAT along with a few others.