How to detect the modular RAT CSHARP-STREAMER

Summary

The malware known as CSHARP-STREAMER is a Remote Access Trojan (RAT) developed in .NET. It has been deployed in numerous attacks over the past few years. Reports have mentioned its deployment during attacks orchestrated by REvil. However, during our casework we were able to observe the threat actor behind the ransomware Metaencryptor using CSHARP-STREAMER. Based on our visibility we assume, that Metaencryptor shows a special interest in IT service providers.

Key Takeaways

• HiSolutions successfully identified distinctive patterns within the CSHARP-STREAMER malware, aiding in the identification of specific malware samples.
• We confirmed the modular structure of CSHARP-STREAMER. This customization could be driven by their business model, which might involve payment for specific features, or as a strategy to minimize the chances of detection and analysis.
• The usage of the RAT has massively increased in Q3 2023.
• HiSolutions is able to share extra detection rules to support the detection of components of the deployment kit.

Prevalence and Initial Analysis

Our investigation into the CSHARP-STREAMER malware was triggered by a ransomware incident that also included the deployment of „Metaencryptor“ ransomware. Throughout the forensic examination, HiSolutions identified a Powershell loader responsible for loading, decrypting, and executing the RAT. There is public documentation linking CSHARP-STREAMER with other campaigns beyond Metaencryptor.

• Fortgale attributes the usage to REvil
• Arista mentions usage in Operation White Stork
• GDATA ADAN provided a public report, even though in their case, no further malware was deployed.
• The DFIR-Report identified the RAT during an deployment of ALPHV-Ransomware.

The identified Powershell loader itself, especially the AMSI-Memory-Bypass and the XOR-decryption component, consists of publicly available proof-of-concepts, shared by several security researchers. The AMSI-Memory-Bypass is a perfect copy of a script posted on Github in August 2022. The security researcher “GetRektBoy724” originally published the XOR-decryption part in 2021.

As mentioned above, GDATA ADAN had already published a report regarding the CSHARP-STREAMER toolchain, also mentioning the re-use of code, available in the public domain. The feature-set of the CSHARP-STREAMER malware in our case differs from the sample GDATA ADAN was able to analyze. „Their“ sample came with a MegaUpload client and with ICMP for C2-Communication, whereas the sample analyzed by us came without a MegaUpload client and without ICMP for C2-Communication.

We can confirm the usage of the RAT’s TCP relay functionality. Using this feature, the threat actors were able to move from one network to another more carefully protected network.

The usage of the TCP function leaves some traces, providing opportunities for forensic investigation: This leads to visible traces in Windows Eventlogs in the form of EventID 2004 and the creation of a distinct firewall rule by "C:\\Windows\System32\netsh.exe": "Inbound TCP Port 6667". This behaviour (creation of firewall rule via netsh) is already covered by a publicly available SIGMA-rule, written by Michel de Crevoisier. The threat actors used the feature not on a large scale, but only in situations, where they had to close a gap between different parts of the affected organizations network.

In total, we were able to identify the following modules in the sample initially identified by us:

• ADUtils
• ExecuteAssembly
• Filetree
• HttpServer
• Keylogger
• LineParser
• PsExec
• Relay
• RunAs
• Sendfile
• Sget
• SmbLogin
• Wget
• Spawn

During the attack, Metaencryptor immediately used the Relay-Feature on specific machines and enumerated the users of the domain with Windows Powershell scripts instead of using CSHARP-STREAMER’s comprehensive toolset. The reconstructed process-tree confirmed that the attacker used the RAT mainly for running a diverse set of Powershell scripts.

Evolution of Malware

The fact, that our sample differed from the one GDATA ADAN analyzed, led us the the assumption, that CSHARP-STREAMER is modularized and assemblied for a specific use case. The reasoning behind that is unclear, but two explanations come to mind: CSHARP-STREAMER might be a malware-as-a-service, where customers have to pay per feature. Another possible explanation is, that the malware authors wanted to reduce the possibility of analysis and detection, by reducing the detection and analysis possibilities. We were not able to rule out either of the options. Since we wanted to gain a more complete overview of the overall capability of CSHARP-STREAMER we tried to find further samples, to get a more comprehensive overview.

To our knowledge, first in the wild samples of the malware surfaced in the second half of 2020. From our point of view, these are propably early development version of CSHARP-STREAMER. Some of these samples contain pdb-paths. The „csharp_streamer.Relay“-Library differs codewise from the main „csharp_streamer“-Library by incorporating Chinese strings. While earlier samples from 2019 contain a PDB-Path and are declared as Version 1.0.0.0, actual samples contain ascending Version-Numbers (2.10.8515.16637 – 2.10.8700.7258).

The analysis of samples shows that there are two main different configurations of CSHARP-STREAMER used in the wild, one with the MegaUpload-Client and one without. While we couldn’t identify samples from the year 2022, we are confident that CSHARP-STREAMER was also in active use during this timeperiod.

The observed uptick of the RATs usage in August 2023 also marks the beginning of Metaencryptor‘s publishing of victims (12 in August, 1 in September, 2 in November, 1 in December) and LostTrusts trove of 53 victims in August.

As mentioned by Fortgale the RAT has also been used in 2021 by REvil/GoldSouthfield and by an unknown Threat-Actor in Summer 2022 accordingly to Arista. While we can see an overlap in TTPs with Arista‘s report in our case (similar staging-directories and tooling) we are not confident in attributing both attacks to the same threat actor. The switch in TTPs in the incident handled by us suggests the work of an inital access-broker which gave MetaEncryptor access to the environment. The compilation timestamp of GData‘s samples also correlates with the occurence of new C2-Infrastructure in early 2023. In combination with the utilization of the RAT by multiple actors and in at least three (Mega, Mega + ICMP, Basic) different configurations, we expect that the malware is provided as a service to ransomware groups. The recent publishing of „The DFIR-Report“ identifies the RAT during an attack of ALPHV.

Detection and Response

Early development-samples contain the PDB-path „D:\Devel\csharp-streamer\csharp-streamer\obj\Release\csharp-streamer.pdb“. Additionally, the malware contains some specific strings with typos, like „ListRalays“ which can aid in detection.

Thus, we can provide a Yara-Rule, helping with the identification of known samples. Please note, that in cases known to us, the sample was loaded only in memory, not on disk.

Additionally detection mechanisms involve:

• PowershellScriptBlock-Logging
• The creation of firewall-rules by netsh.exe
• Multiple static strings which can be found in memory
• The use of CSHARP-STREAMER‘s user agent „websocket-sharp/1.0“
• Specific Web-Requests (see headers below)

TTP and Detection Rules

The following rules are shared as TLP:CLEAR.

Yara Rule

rule CSHARP_STREAMER {
   meta:
      description = "Detects decrypted csharp_streamer"
      author = "HiSolutions AG"
      reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.csharpstreamer"
      sharing = "TLP:CLEAR"
      date = "2023-12-18"
      score = 100
   strings:
              $y1 = "csharp_streamer.Properties"
              $y2 = "csharp_streamer.Utils"
              $y3 = "csharp_streamer.ms17_10"
              $y4 = "csharp-streamer"
              $z1 = "iphlpapi.dll" ascii wide
              $z2 = "\\<title\\b[^>]*\\>\\s*(?<Title>[\\s\\S]*?)\\</title\\>" ascii wide
              $z3 = "MagicConstants.kSessionTerminate = ByteString.CopyFrom" ascii wide
              $z4 = "StartRalay"
              $d1 = "csharp-streamer.pdb"
   condition:
              uint16(0) == 0x5a4d and (3 of ($y*) or all of ($z*) or $d1)
}

SIGMA Rule

title: Potential csharp_streamer Powershell-Loader
id: 77bdea07-634c-49ad-96d3-03736882b914
status: test
description: Detects Powershell-Loader as seen with csharp_streamer.
references:
    - none
author: HiSolutions AG
date: 2023/12/18
tags:
    - tlp.white
    - attack.t1562.001
    - attack.t1059.001
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    ps_script:
        EventID: 4104
        Channel:
            - Microsoft-Windows-PowerShell/Operational
            - PowerShellCore/Operational
    selection:
        ScriptBlockText|contains:
            - '[WinApi]::VirtualProtect($funcAddr, [uint32]$patch.Length, 0x40, [ref] $out)'
            - '$wc = New-Object System.Net.WebClient; $wc.Proxy = [System.Net.GlobalProxySelection]::GetEmptyWebProxy();'
            - '$string = xor "$rawData" "decrypt" "'
            - 'if($metInfo.GetParameters().Length -eq 0) # If Assembly - VB, update params'
            - '-UseBasicParsing -UserAgent "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.2.6) Gecko/20100625 Firefox/3.6.6 (.NET CLR 3.5.30729)" ).Content'
            - '$amsiDll = [WinApi]::LoadLibrary("ams"+"i.dll")'
            - '$funcAddr = [WinApi]::GetProcAddress($amsiDll, "Ams"+"iScanB"+"uffer")'
    condition: ps_script and selection
falsepositives:
    - Unknown
level: high
ruletype: Sigma

Malware related MITRE ATT&CK Techniques

Threat Actor (TA) related MITRE ATT&CK Techniques