Fake Indian Income Tax Calculator Delivers xRAT Variant

A FortiGuard Labs Breaking Threat Report

Tax-themed phishing and malware attacks rise during the tax filing season. FortiGuard Labs recently came upon an interesting Excel file claiming to provide an income tax calculator that purports to be from India’s Income Tax Department. It’s not. Instead, it’s a malicious file containing a variant of the xRAT trojan.

Based on the timestamps of when this malicious file was crafted, it seems to be targeting people catching the deadline for filing their income tax returns (ITRs) in India. 

Fig. 1. One of the Malicious Binary’s Compilation Timestamps

Fig. 2. One of the Malicious Binary’ Debug Files

This attack is very timely as the deadline for filing the ITR in India, usually set on July 31, was extended this year to August 31, 2019.

Fig. 3. India’s Income Tax Department’s Announcement for the ITR Filing Extension

When executed, the malicious Excel file drops and executes xRAT, an open-source RAT (remote administration tool) which is a fork off the more well-known QuasarRAT.

Fake Income Tax Calculator

The fake income tax calculator pretends to be from India’s Income Tax Department, as signified by the use of its logo in this decoy file.

Fig. 4. Fake Income Tax Calculator

When the file is opened, it immediately executes its embedded malicious macro code.  The “CLICK & CALCULATE” button shown above is designed to simply trick the user into thinking that it is a legitimate file. Clicking on this button only pops-up a message box containing the following message:

Fig. 5. Calculate Button Only Pops-up a Message Box

What It Does

The malicious macro code first decodes Base64 encoded data embedded in the Excel file. The decoded data is then saved as %AppData%doubleenc.

Fig. 6. Base64 Encoded Embedded Malware

Fig. 7. Decoding the Embedded Malware with Base64

The doubleenc file is encrypted with XOR using the following key:

Fig. 8. XOR Key Used to Decrypt Embedded Malware

When decrypted, the data is saved as %AppData%doubledec.

Fig. 9. Base64 Encoded xRAT

The doubledec file is still Base64 encoded. After decoding, it is saved as %AppData%msword.exe.

Fig. 10. Files Dropped in the %AppData% Folder

The msword.exe file, when executed, drops files in the %AppData%MicrosoftOfficeExcel folder. including the xRAT files.

Fig. 11. Files Dropped in the %AppData%MicrosoftOfficeExcel Folder

Files 3 and 4 are both xRAT binaries compiled using different .NET Framework versions. The file Console Window Host.exe determines which .NET Framework version is installed on the system, then chooses which file to run. The chosen file is then renamed to conhost.exe. This file is then executed and added to an auto-start registry entry.

xRAT 2.0

xRAT is an open-source RAT (remote administration tool) which is a fork off the more well-known open-source QuasarRAT (known to be used by hackers of all types, from script kiddies to APT groups like Patchwork and Gorgon).

The latest version of xRAT is 2.0, and the code is publicly available on Github. According to its readme file, it has the following features:

Fig. 12. Features of xRAT 2.0 as seen on Github

Since this RAT is open-source, we can easily identify any changes made to the original source code. The first thing that comes to mind is to look at the configuration file, which contains information about its command and control server (C2).

Fig. 13. xRAT Configuration

Based on the configuration file, this variant connects to xorc-49723.portmap.host on TCP port 63989. Apparently, this RAT uses the Portmap service to forward traffic to its C2 server. This is also a known technique used by QuasarRAT to hide the true C2 server. As expected, communication between the RAT and its C2 server is encrypted.

Fig. 14. Encrypted Traffic on Port 63989

The encryption used by this variant is the same as that used in the original source code, which is Advanced Encryption Standard (Rijndael). The data sent to/from the C2 server is first compressed with QuickLZ compression then encrypted with AES.

Fig. 15. Traffic To/From C2 Compression and Encryption

The AES encryption uses a generated initial vector (IV) and the MD5 hash of the password indicated in the configuration file, which is “#$%12aBcL”, as its key.

Fig. 16. AES Encryption

All other functionality appears to be the same as the original source code. With a good malware signature, any new compilation of the source code can be easily caught.

Conclusion

As deadlines for the filing of Income Tax Returns approach, many people try to look for tax calculators to make it easy for them to estimate their refund or bill. Many tax filers just use programs downloaded from anywhere on the internet, or even from spam email attachments for unknown users, without being very mindful as to whether they are harmful or not. Every year a number of attackers take advantage of tax season by creating lures to attract and exploit unsuspecting victims, as seen in this exploit and the general rise of tax-themed attacks overall.

-= FortiGuard Lion Team =-

Solution

Fortinet customers are protected by the following:

  • xRat samples are detected by MSIL/XRat.A!tr signature
  • The decoy document is detected by W97M/Agent.YRJ!tr signature
  • FortiSandbox rates the xRAT’s behaviour as high risk

IOCs

Sha256

8b295dd23cddbe8076f0bd651efe03c8d207823920a5c4dbefa328fda6898d83
94687352179d4f60ddc8a18026da4cf356cc47a56e058b4210e9b4f935231576
a070e0ae6edf52b3d1a393a21d33c8aa0f2a30fe113a973dbae892b3f5cadd28
63517ec73dfa0629d344b6803ed2a4465f9338592d9c64a14c89bb0da849961c

C2

xorc-49723.portmap[.]host

Learn more about FortiGuard Labs and the FortiGuard Security Services portfolioSign up for our weekly FortiGuard Threat Brief. 

Read about the FortiGuard Security Rating Service, which provides security audits and best practices.

http://feeds.feedburner.com/fortinet/blog/threat-research