Micropsia: In-Depth Analysis of a Hamas-Linked Cyber Warfare RAT

Introduction

Micropsia is a Remote Access Trojan (RAT) attributed to the AridViper threat actor group, which is closely linked to Hamas and is rumored to be part of Hamas' cyber operations. AridViper, also known as APT-C-23, is notorious for its targeted cyber espionage campaigns, primarily in the Middle East. The group employs custom malware like Micropsia to infiltrate systems, steal sensitive information, and maintain long-term access to compromised networks, aligning with Hamas' strategic goals in the region.

Basic Static Analysis

• SHA-256 Hash: 9e8f02051b24719f3f3382ebefeea17fcadf989f3cf155a81b25eaafe1a2d102

• File Size: Approximately 1.5 MB

• File Type: PE32 executable (Windows 32-bit)

Strings Analysis:

• The binary contains an extensive number of strings (160,000+), suggesting the presence of embedded resources, configuration data, or potentially obfuscated code.

  
  

Imports:

• The executable imports 572 functions, including those related to network communication, file system manipulation, and process management. Notable imports include:

  • Wininet.dll for HTTP operations, indicating potential internet communication capabilities.

  • Kernel32.dll and Advapi32.dll for lower-level process control and service management.

  • User32.dll and Gdi32.dll which could be used for graphical interface manipulation or evasion techniques.

Behavioral Analysis

Upon execution, MicroPSIA_RAT.exe immediately creates and opens a PDF file titled "Has US policy toward the Palestinian cause changed.pdf." This decoy document is likely used to distract the user while the RAT deploys its malicious activities in the background.

Network Activity

Wireshark Capture:

• The RAT attempts to connect to the domain kristinthomas[.]work. This domain is likely a Command and Control (C2) server used for data exfiltration or receiving commands.

• The malware sends a Base64-encoded message mimicking a Googlebot, which includes encoded details about the infected machine:

REVTS1RPUC1VUjlFT0hPXyopKippX3IzMnVpSk9B

Decoded: DESKTOP-XXXXHO_****_r32uiJOA

vcnwaxpcv=IFdpbmRvd3MgRGVmZW5kZXI%3D

Decoded: Windows Defender

vcllgracv=V2luZG93cyAxMCAoVmVyc2lvbiAxMC4wLCBCdWlsZCAxOTA0NCwgNjQtYml0IEVkaXRpb24p

Decoded: Windows 10 (Version 10.0, Build 19044, 64-bit Edition)

QzpcVXNlcnNcKioqXERlc2t0b3BcTWljcm9QU0lBX1JBVC5leGU

Decoded: C:\Users\****\Desktop\MicroPSIA_RAT.exe

vccodwfcv=WU4wMjA4WQ%3D%3D

Decoded: YN0208Y

The message reveals system details such as the computer name, the user, the operating system version, and the presence of security software, indicating the RAT's reconnaissance capabilities.

Persistence Mechanism

Procdot Analysis:

• MicroPSIA_RAT.exe was observed creating a .lnk shortcut file in the Startup folder, ensuring that the RAT is executed every time the system starts.

  
  

• Thread Injection: The RAT injected code into another process (PID: 6372), running its malicious code under a different process context to evade detection.

  
  

• File Activities:

  • Decoy Document: Created Has US policy toward the Palestinian cause changed.pdf in the Temp directory.

    
    

• 
  

  • Temporary File: Generated dsfj45k.tmp in the AppData\Roaming directory.

• 
  

  • Startup Shortcut: The .lnk file MicroPSIA_RAT.lnk was moved to C:\Users\xxxxxxx\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup, establishing persistence.

Registry and File System Modifications

Certificates Folder Modifications:

• The malware made changes to certificates stored in the trusted root CAs folder, possibly to install malicious certificates and enable a Man-in-the-Middle (MITM) attack.

• Registry Changes In The Root Folder:

Command Execution Preparation:

• The RAT queried the ComSpec environment variable to verify the path to cmd.exe, suggesting that it plans to execute command-line operations.

  
  

PowerShell Interaction:

• The malware interacts with PowerShell, referencing powershell.exe. This interaction could be used to execute scripts or further payloads, leveraging PowerShell's extensive capabilities.

Advanced Analysis of Malware Behavior

Technical Capabilities:

• Thread Injection: The RAT employs thread injection, a sophisticated technique to execute its payload within another process, thus disguising its activity and evading conventional detection methods. This method allows the malware to maintain a low profile while performing its malicious operations.

• File System Manipulation: By creating and manipulating files across multiple directories, including Temp and AppData, the RAT ensures its persistence and ability to evade quick detection. The strategic placement of files such as .lnk in the Startup folder underlines its persistence strategy.

• Network Communication: The RAT's network activity, including the encoded communication with a C2 server, highlights its potential for data exfiltration and remote command execution. The use of base64 encoding suggests an effort to obscure its network traffic and evade detection by security systems.

PowerShell Exploitation:

• The RAT’s interaction with PowerShell suggests an advanced capability to leverage Windows’ built-in tools for executing commands, downloading additional payloads, or modifying the system's configuration. PowerShell, with its powerful scripting abilities, can be used by the RAT to extend its capabilities beyond the initial infection vector.

Persistence and Evasion:

• The malware’s approach to persistence through the use of .lnk files in the Startup folder ensures that it can survive system reboots and maintain control over the infected machine. This is a common technique used by advanced persistent threats (APTs) to establish long-term footholds in target environments.

• Additionally, by interacting with both the Windows Registry and environment variables such as ComSpec and PATHEXT, the malware demonstrates its intent to execute commands and possibly scripts in a way that integrates seamlessly with the operating system, thereby reducing the likelihood of detection.

  
  

Registry Modifications:

• The changes observed in the Certificates folder within the Windows Registry point to a strategy where the RAT might inject or replace legitimate certificates with malicious ones. This could facilitate man-in-the-middle (MITM) attacks, where encrypted communications can be intercepted or altered without the user’s knowledge. The malware’s ability to modify trusted root certificates is particularly concerning as it undermines the fundamental trust model of secure communications on the affected system.

Conclusion

MicroPSIA_RAT.exe, associated with the AridViper APT group, is a highly capable piece of malware designed for persistence, data exfiltration, and remote command execution. Its use of sophisticated techniques such as thread injection, interaction with system utilities like PowerShell and cmd.exe, and modifications to trusted root certificates indicates that it was crafted with a deep understanding of Windows internals and a clear intent to avoid detection.

The malware’s potential for anti-VM evasion suggests that it is designed to detect and alter its behavior when executed in a virtualized analysis environment, which highlights the need for analysis in a more realistic, possibly physical, setup to fully uncover its capabilities.

Further in-depth reverse engineering and ongoing monitoring are recommended to reveal all aspects of this RAT's behavior. Given the connection to the AridViper group, this analysis reinforces the importance of vigilance against sophisticated APT attacks, particularly those linked to politically motivated terrorist organizations like Hamas. The deployment of MicroPSIA_RAT.exe in targeted campaigns underlines the need for robust detection and mitigation strategies, especially in environments at risk of espionage or intellectual property theft.

Final Thoughts

The MicroPSIA_RAT.exe malware, through its complex set of features and strategic use of system resources, exemplifies the advanced capabilities of modern RATs deployed by APT groups. Understanding and mitigating the risks posed by such threats require a multi-layered approach, combining technical defenses, user awareness, and ongoing research into evolving attack methodologies.