Internet search engine Shodan provides enterprise security teams a wealth of information about open ports on servers and other internet-connected devices. Now, as part of a partnership with threat intelligence company Recorded Future, security analysts and researchers can work with Shodan to uncover systems manipulated to control malware-infected devices.
Shodan’s specialized crawler doesn’t gather information about websites, but rather details about the connected devices, including servers, routers, webcams, and other internet of things devices. The new Malware Hunter crawler takes the scanning a step further and actively hunts for computers that are acting as remote access Trojan (RAT) command-and-control servers. As such, it is a powerful tool for threat analysts, security operations center (SOC) teams, and dedicated security personnel within the enterprise trying to proactively identify and defend against certain types of malware families, said Levi Gundert, vice president of intelligence and strategy at Recorded Future.
“Law enforcement can also use Malware Hunter to find controllers and shut down campaigns,” Gundert said.
RAT controllers remotely control malware-infected machines by sending instructions such as recording audio, logging keystrokes, and executing commands. Malware Hunter poses as an infected computer and sends out a beacon call to every IP address on the internet as if it was looking for the command-and-control server. Anything that responds to the beacon would be considered a RAT controller, Gundert said. Malware Hunter is not waiting for malware to contact it or infect it—which is what happens with passive honeypots and sinkholes—but actively seeks responses and collects the IP address. Malware Hunter does not send additional traffic or attempt to probe the controller.
For enterprise security teams, having the list of IP addresses is helpful on two fronts: They can check if any of those addresses are within their own networks—which would mean they are compromised—as well as proactively configure their firewalls and intrusion prevention systems to block all requests going to and from those addresses. If they detect any outgoing requests to those IP addresses, they can trace the compromised endpoint and shut down the infection.
“By doing it this way—signature scans for RAT controller IP addresses, observing malware through our API and cross-correlating it with a variety of sources—we are able to locate RAT controllers before the associated malware begins spreading or compromising targeted victims,” Gundert said.
Malware detection is a challenge because attackers are continuously changing the malware to avoid detection; there are different hashes, different functionality. An attack campaign may customize the malware multiple times for each victim. Command-and-control infrastructure tends to evolve slowly, so looking for patterns of behavior matching the C&C server is actually faster than waiting for malware samples to be found and analyzed, then detection added to antivirus and other security tools. Unknown malware variants can be found because the infected device is eliciting a response from the controller.
Malware Hunter has identified thousands of RAT servers since the project’s inception in 2015. Considering the millions of connected devices on the internet, thousands may not sound like a lot, but it is significant because these controllers are associated with widely used RATs such as Dark Comet, njRAT, and Poison Ivy, which control large numbers of infected machines. Malware Hunter recently identified a massive global installation of Gh0st RAT, a tool suspected to be of Chinese origin, which has been used in national-state attacks against government agencies and other political targets since 2009.
Recorded Future uses the Shodan API to obtain the crawler’s results, then “enriches” the results with additional information obtained from other open, closed, and technical sources to provide context around the threats, Gundert said. Recorded Future provides Shodan with the controller information that lets the crawler create the beacon calls to match known RAT behavior. Users with a Shodan account will be able to see the overview results and Recorded Future customers will see the results through the platform.
Right now, Malware Hunter is targeting well-known RATs, which Gundert called “low-hanging fruit,” but it can still find RAT families that employ obfuscation and other stealth tricks to avoid detection. The project will continue refining the probes to identify the more sophisticated tools.