A newly emerging Remote access Trojan called CannibalRAT that completely written in Python language targeting and impacting the Brazilian public sector management school.
It spreading with 2 different versions (3.0 and 4.0) both have completely written in Python and distributed as a packed executable that was called py2exe.
This RAT campaigns mainly targeting the users from Brazilian based public sector management schoolINESAP – Instituto Nacional Escola Superior da Administração Pública.
Attackers using Fast Flux(ing) techniques to change the command and control name servers use 120 seconds for TTL that makes changes the several time a day.
In this case, the oldest version of CannibalRAT was an initial peak on Jan. 8, 2018, later second version was discovered Feb. 5, 2018, which was actively increasing its spreading capability.
How does CannibalRAT Remote Access Trojan Works
The RAT distributed via zipped overlay executable contains py2exe format and both versions of this RAT shared a lot of code.
Malware author tried to add a lot of obfustication functionality in version 4 to evade the detection and it used the standard version of UPX, a well known executable packer.
while analyzing the version 4 RAT’s source code reveals that it will generate random strings in memory, thus attempting to make memory string analysis harder.
In this case, an Image was abused and added it will create a PDF file with HTML code embedded that will load a single image hosted at imgur.com.
Both version of the RAT Contacting the same command and control to exfiltrate the stolen information from the user system.
According to Cisco Talos, The credential-stealer modules are a copy of the Radium-Keylogger, which has the source code published on Github. The VM detection function can also be seen on Github in a different repository, the copy of code from other software is a constant in most components of this RAT. Most of these capabilities are provided by Python scripts, which can be executed standalone in the command line, which is coherent with code reuse that was described above.
CannibalRAT Version 4 doesn’t contain some the version 3 RAT functionality such as distributed denial of service, miner, Python, and update.
Version 4.0 of the RAT was clearly configured to be part of a campaign targeting the INESAP, a Brazilian school for public administration, as stated before.According to artifacts found in pastebin.com by Talos, seems that the campaign and RAT customization might have started as early as Jan. 9, 2018. Cisco said.