Parasite HTTP Remote Access Trojan
Parasite HTTP is a remote access trojan (RAT) that is sold on underground markets. It steals information and creates a backdoor for remote control of affected devices.
It is a professionally coded modular remote administration tool for windows written in C that has no dependencies except the OS itself.
At the time of publication, Parasite HTTP has been distributed via spam email campaigns targeted towards certain industries including healthcare. The emails include Word document attachments that contain malicious macros. When the macros are enabled, the RAT is downloaded and executed.
The attached messages purported to be resumes or CV submissions. The documents contained macros that, if enabled, would download Parasite HTTP from a remote site.
Parasite HTTP employs a wide range of techniques to avoid analysis including sandbox detection, anti-debugging and anti-emulation methods. It includes modules that can control the user’s desktop, alter user accounts and steal information including passwords. Infected devices can be instructed to download additional modules, so the capabilities of the RAT can be extended in future.
Indicators of Compromise (Host’s To Block)
File hashes (SHA 256):
- 6479a901a17830de31153cb0c9f0f7e8bb9a6c00747423adc4d5ca1b347268dc – macro document
- b52706530d7b56599834615357e8bbc1f5bed669001c06830029784eb4669518 – Parasite HTTP payload
URL:
- hxxp://dboxhost[.]tk/moz/bza.exe – Parasite HTTP payload
Command and control servers:
- xetrodep[.]top
- jekoslo[.]space
- befrodet[.]top
Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.