July 2020 – The Packet Rat

Rats of a different ilk

Yesterday, I pushed the publish button on some additional research I assisted Markel Picado with on RATicate, an actor that had been sending tailored malicious emails to victims loaded with malware installers. They appear to be a Malware as a Service operation.

The interesting thing is that they appear to have been using the same commercial crypting/packing tool as the actors behind GuLoader malware tracked by CheckPoint–this thing called CloudEyE Protector, the successor to DarkEyE Protector. The operators of that crypter-as-a-service shut it all down when people came asking about their malware distribution, and swore they would ban the bad actors.

Welp, they’re back in business, and they’re following some very rigorous (lol) vetting of customers. Sebastiano and Ivano pinky promise to very closely monitor usage and look out for shenanigans. The problem with grey tools like this–which have a legitimate use as an obfuscator and license protection scheme–are always going to have abusers. The only way to tell the bad from the good is behavior-based detection.

Ironically, one of the features they instituted to lock down their tools was a “hardware ID grabber” app they built with their own tool. And Windows Defender (and 16 others, including Sophos) detect it as malware.

I think there are a significant number of us who predicted that this year, like the last three, would be a continued slide into the apocalypse. And it looks like we were all too optimistic at this point, weren’t we? We’re all trapped on the bus in Speed, except that the Donald is both the driver and the bomber and Keanu Reeves is definitely not coming to help.

The reason that we all drastically underestimated the damage that Orange Julius Caesar could do is because our assumptions were made pre-pandemic. And even if we had known about the pandemic, we would not have been able to forsee the germophobe-in-chief pulling the counter-programming move he’s pulled unless we believed he deliberately wanted to kill hundreds of thousands of people off–which he apparently does–or that no one in a position to do anything to convince him to act decisively would succeed (or even try, until it was too late).

I say this from a position of entitlement–I have a job that allows me to work from home. But my wife and kids all have jobs that touch the public, and the premature push to be “open for business” has now endangered them (and me as a result). My eldest works for Apple retail; his store re-opened under strict guidelines, and is now closed again because of COVID-19 cases among the staff. Apple had testing in place; other employers don’t. Our governor flew to South Korea to get more tests, and yet testing lags here like it does for most of the country.

People would probably have died in the thousands no matter who was in the White House. But this asshole has gone big on buffoonery and will kill another hundred thousand easily before this is done. The stress on families weighing between the benefits of earning an paycheck and the risks posed to their health (and lives, even) by working are real, and Ivanka is posing with cans of Goya black beans.

We have at least until next January with this asshole, barring some sort of miracle. It’s enough to make even atheists pray.