Karkoff: Static & Dynamic Analysis of an Iranian Trojan

Introduction

Karkoff RAT is a sophisticated Remote Access Trojan that has recently garnered attention for its stealth and persistence. Believed to originate from the Iranian attack group, APT-34.

this malware has been employed in targeted cyber espionage campaigns, demonstrating advanced capabilities in evading detection and maintaining long-term access to compromised systems.

In this blog post, I explore the inner workings of Karkoff RAT through static and dynamic analysis, uncovering its operational tactics and the anti-debugging techniques it uses to thwart analysis.

This post summarizes my findings, challenges, and the strategies I employed during this in-depth malware dissection.

Basic Static Analysis

To kick off the analysis, I began with static analysis techniques.

The initial step involved unpacking the malware using unpac.me and extracting strings with floss.exe for both the packed and unpacked versions of the sample.

Packed Sample Findings:

• SHA256 Hash: cd4b9d0f2d1c0468750855f0ed352c1ed6d4f512d66e0e44ce308688235295b5

• Hardcoded IP Address: 108.62.141.247

• Associated Website: rimrun[.]com

• File Path: C:\Windows\Temp\MSEx_log.txt

• Possible Dropper Component: DropperBackdoor.Newtonsoft.Json.dll

• Executable Identified: DropperBackdoor.exe

  
  

The initial analysis of the packed file revealed a suspicious IP address and a potentially significant dropper component, hinting at multi-stage payload delivery. In contrast, the unpacked file yielded no significant findings, suggesting that key elements of the malware’s behavior are obfuscated or encrypted in the initial stages.

Registry and Imports Inspection

Before moving on to dynamic analysis, I created a clean snapshot of the system's registry using Regshot. Following that, I utilized PEStudio to inspect the malware’s imports.

Noteworthy Imports:

• ServiceProcessInstaller, ServiceInstaller, ServiceBase: These indicate that the malware may be designed to install and operate as a Windows service, which aligns with its persistence goals.

• HttpWebRequest, HttpWebResponse, WebRequest, WebProxy, NetworkCredential, Icredentials, WebResponse: These imports suggest network communication capabilities, potentially for communicating with a command-and-control server.

• UseShellExecute: A function that indicates the potential for executing shell commands, which could be used for various purposes, including launching other processes or scripts.

These imports provided early hints about the malware's functionality, particularly its potential to interact with the Windows service manager and network resources.

Dynamic Analysis

The dynamic analysis began with an attempt to execute the malware in a controlled environment. However, the detonation process was interrupted by an error message:

This message confirmed the malware's intent to run as a service, likely to ensure persistence and operate with higher privileges.

Thread Creation Monitoring:

Using Process Monitor (Procmon), I observed multiple thread creation operations linked to the malware. However, the paths were obscured, making it difficult to trace the exact operations being performed.

CreateRemoteThreadEx Detection:

I set a breakpoint on CreateThread in x64dbg and caught a call to CreateRemoteThreadEx, indicating that the malware was attempting to inject code into another process.

Upon further inspection, it became evident that the malware was injecting .NET code, possibly as its main payload or a significant secondary component. This was corroborated by the presence of mscorwks.dll in the new threads created by the malware.

Encounter with Anti-Debugging Techniques

During the analysis, I encountered multiple anti-debugging techniques employed by the malware, including calls to IsDebuggerPresent, CheckRemoteDebuggerPresent, and VirtualProtect. These methods are commonly used by malware to detect and disrupt debugging efforts.

Bypassing Attempts:

I attempted to bypass these anti-debugging techniques by NOPing (No Operation) the relevant instructions.

However, even after these modifications, the malware continued to obstruct access to certain memory regions.

Gaining access to these regions was crucial, as they appeared to hold the second-stage payload or critical components of the malware’s operation.

This particular memory region was linked to a string I had identified earlier during the static analysis phase—specifically, a reference to Newtonsoft.Json.dll. Given this connection, I suspected that the memory might contain dynamically loaded or decrypted .NET assemblies, which could be key to understanding the malware's full capabilities and behavior.

However, despite modifying the anti-debugging instructions, the malware employed additional obfuscation techniques, possibly involving Timing Checks. These checks involve measuring the time intervals between instructions, with the malware behaving differently if the time exceeds a certain threshold—a common occurrence when stepping through code in a debugger.

The inability to access this memory area limited my ability to fully dissect the second-stage payload.

However, this experience highlights the lengths to which malware authors will go to protect their code and the importance of developing advanced debugging techniques to overcome such challenges.

Despite these challenges, the analysis provided valuable insights into the malware’s structure and evasion techniques.

Conclusion

The Karkoff RAT employs a variety of techniques to evade analysis, including service-based execution, remote thread injection, and multiple layers of anti-debugging.

While I encountered significant obstacles in fully analyzing the second-stage payload due to advanced anti-debugging mechanisms, the experience underscored the importance of developing robust debugging and analysis skills.

For now, I’ll shift my focus to other malware samples, continuing to build on the knowledge gained from this investigation.

Thanks for reading! Stay tuned for more malware analysis deep dives.