Researchers at Proofpoint have published a report on a malware that is gaining steam in illegal underground Dark Web markets. The malware, which is a Remote Access Trojan dubbed “Parasite HTTP,” was uncovered due to a small email attack campaign. While this is so far the most that the RAT has been observed in the wild, its structure has the potential to do a great deal of damage.
Proofpoint describes Parasite HTTP in detail as follows:
The RAT, dubbed Parasite HTTP, is especially notable for the extensive array of techniques it incorporates for sandbox detection, anti-debugging, anti-emulation, and other protections. The malware is also modular in nature, allowing actors to add new capabilities as they become available or download additional modules post infection.
The small email campaign that Parasite HTTP was discovered on utilized distribution lists that largely were aimed at hiring divisions in companies. Many of the emails were formed with subject lines and message contents that pretended to be an individual applying for work. The emails would also contain attachments pretending to be CVs or resumes that were, in fact, malicious documents. If the macro in the attachment, once downloaded, was executed then Parasite HTTP would begin its infection process.
Part of what is contributing to the RAT becoming so popular in underground hacking circles has to do with an aggressive marketing campaign. The main ad making the rounds mentions that “with the stub size of ~49kb and plugin support it presents the perfect solution for controlling a large number of computers from a remote location.” The extensive feature list is also a selling point since it mentions “no dependencies (Coded in C), dynamic API calls (No IAT), encrypted string, bypass Ring3 hooks, secure C&C panel written in PHP, Firewall bypass” and numerous other features that will likely be expanded upon considering the modular nature of the RAT.
IT security divisions would find it in their interest to keep an eye out for Parasite HTTP as it will be deployed with increasing frequency as time goes on.
Featured image: Shutterstock