Log in
E-mail
Password
Remember
Forgot password ?
Become a member for free
Sign up
Sign up
Settings
Settings
Dynamic quotes 
OFFON

MarketScreener Homepage  >  Equities  >  Nasdaq  >  Fortinet    FTNT

FORTINET

(FTNT)
  Report  
SummaryQuotesChartsNewsRatingsCalendarCompanyFinancialsConsensusRevisions 
News SummaryMost relevantAll newsOfficial PublicationsSector newsMarketScreener StrategiesAnalyst Recommendations

Fortinet : Fake Indian Income Tax Calculator Delivers xRAT Variant

share with twitter share with LinkedIn share with facebook
share via e-mail
0
08/16/2019 | 01:22pm EDT

A FortiGuard Labs Breaking Threat Report

Tax-themed phishing and malware attacks rise during the tax filing season. FortiGuard Labs recently came upon an interesting Excel file claiming to provide an income tax calculator that purports to be from India's Income Tax Department. It's not. Instead, it's a malicious file containing a variant of the xRAT trojan.

Based on the timestamps of when this malicious file was crafted, it seems to be targeting people catching the deadline for filing their income tax returns (ITRs) in India.

Fig. 1. One of the Malicious Binary's Compilation Timestamps

Fig. 2. One of the Malicious Binary' Debug Files

This attack is very timely as the deadline for filing the ITR in India, usually set on July 31, was extended this year to August 31, 2019.

Fig. 3. India's Income Tax Department's Announcement for the ITR Filing Extension

When executed, the malicious Excel file drops and executes xRAT, an open-source RAT (remote administration tool) which is a fork off the more well-known QuasarRAT.

Fake Income Tax Calculator

The fake income tax calculator pretends to be from India's Income Tax Department, as signified by the use of its logo in this decoy file.

Fig. 4. Fake Income Tax Calculator

When the file is opened, it immediately executes its embedded malicious macro code. The 'CLICK & CALCULATE' button shown above is designed to simply trick the user into thinking that it is a legitimate file. Clicking on this button only pops-up a message box containing the following message:

Fig. 5. Calculate Button Only Pops-up a Message Box

What It Does

The malicious macro code first decodes Base64 encoded data embedded in the Excel file. The decoded data is then saved as %AppData%doubleenc.

Fig. 6. Base64 Encoded Embedded Malware

Fig. 7. Decoding the Embedded Malware with Base64

The doubleenc file is encrypted with XOR using the following key:

Fig. 8. XOR Key Used to Decrypt Embedded Malware

When decrypted, the data is saved as %AppData%doubledec.

Fig. 9. Base64 Encoded xRAT

The doubledec file is still Base64 encoded. After decoding, it is saved as %AppData%msword.exe.

Fig. 10. Files Dropped in the %AppData% Folder

The msword.exe file, when executed, drops files in the %AppData%MicrosoftOfficeExcel folder. including the xRAT files.

Fig. 11. Files Dropped in the %AppData%MicrosoftOfficeExcel Folder

Files 3 and 4 are both xRAT binaries compiled using different .NET Framework versions. The file Console Window Host.exe determines which .NET Framework version is installed on the system, then chooses which file to run. The chosen file is then renamed to conhost.exe. This file is then executed and added to an auto-start registry entry.

xRAT 2.0

xRAT is an open-source RAT (remote administration tool) which is a fork off the more well-known open-source QuasarRAT (known to be used by hackers of all types, from script kiddies to APT groups like Patchwork and Gorgon).

The latest version of xRAT is 2.0, and the code is publicly available on Github. According to its readme file, it has the following features:

Fig. 12. Features of xRAT 2.0 as seen on Github

Since this RAT is open-source, we can easily identify any changes made to the original source code. The first thing that comes to mind is to look at the configuration file, which contains information about its command and control server (C2).

Fig. 13. xRAT Configuration

Based on the configuration file, this variant connects to xorc-49723.portmap.host on TCP port 63989. Apparently, this RAT uses the Portmap service to forward traffic to its C2 server. This is also a known technique used by QuasarRAT to hide the true C2 server. As expected, communication between the RAT and its C2 server is encrypted.

Fig. 14. Encrypted Traffic on Port 63989

The encryption used by this variant is the same as that used in the original source code, which is Advanced Encryption Standard (Rijndael). The data sent to/from the C2 server is first compressed with QuickLZ compression then encrypted with AES.

Fig. 15. Traffic To/From C2 Compression and Encryption

The AES encryption uses a generated initial vector (IV) and the MD5 hash of the password indicated in the configuration file, which is '#$%12aBcL', as its key.

Fig. 16. AES Encryption

All other functionality appears to be the same as the original source code. With a good malware signature, any new compilation of the source code can be easily caught.

Conclusion

As deadlines for the filing of Income Tax Returns approach, many people try to look for tax calculators to make it easy for them to estimate their refund or bill. Many tax filers just use programs downloaded from anywhere on the internet, or even from spam email attachments for unknown users, without being very mindful as to whether they are harmful or not. Every year a number of attackers take advantage of tax season by creating lures to attract and exploit unsuspecting victims, as seen in this exploit and the general rise of tax-themed attacks overall.

-= FortiGuard Lion Team =-

Solution

Fortinet customers are protected by the following:

  • xRat samples are detected by MSIL/XRat.A!tr signature
  • The decoy document is detected by W97M/Agent.YRJ!tr signature
  • FortiSandbox rates the xRAT's behaviour as high risk

IOCs

Sha256

8b295dd23cddbe8076f0bd651efe03c8d207823920a5c4dbefa328fda6898d83
94687352179d4f60ddc8a18026da4cf356cc47a56e058b4210e9b4f935231576
a070e0ae6edf52b3d1a393a21d33c8aa0f2a30fe113a973dbae892b3f5cadd28
63517ec73dfa0629d344b6803ed2a4465f9338592d9c64a14c89bb0da849961c

C2

xorc-49723.portmap[.]host

Learn more about FortiGuard Labs and the FortiGuard Security Services portfolio. Sign up for our weekly FortiGuard Threat Brief.

Read about the FortiGuard Security Rating Service, which provides security audits and best practices.

Disclaimer

Fortinet Inc. published this content on 16 August 2019 and is solely responsible for the information contained therein. Distributed by Public, unedited and unaltered, on 16 August 2019 17:21:04 UTC
share with twitter share with LinkedIn share with facebook
share via e-mail
0
Latest news on FORTINET
01:22pFORTINET : Fake Indian Income Tax Calculator Delivers xRAT Variant
PU
10:07aFORTINET : Learn How Fortinet is Transforming Security for Virtual and Cloud Env..
PU
08/15FORTINET : Announces the FortiDDoS E-Series with Two New Models – FortiDDo..
PU
08/13THE BI-DIRECTIONAL CLOUD HIGHWAY : Critical Insights into Today's Cloud Infrastr..
PU
08/12FORTINET : Security Fabric Earns NSS Labs Recommendation for 2019 Breach Prevent..
PU
08/12FORTINET : Ensuring Security is a Priority at Big Events This Summer
PU
08/12Fortinet Sweeps Three Categories in CRN's 2019 Annual Report Card Awards
GL
08/08FORTINET : Leveraging AI to Win the Cybercrime Arms Race
PU
08/07FORTINET : Reports Increased YoY Threat Activity for Q2 2019
PU
08/06FORTINET : Cyber Adversaries Up the Ante on Evasion and Anti-analysis to Avoid D..
AQ
More news
Financials (USD)
Sales 2019 2 113 M
EBIT 2019 491 M
Net income 2019 275 M
Finance 2019 2 240 M
Yield 2019 -
P/E ratio 2019 51,6x
P/E ratio 2020 48,3x
EV / Sales2019 5,42x
EV / Sales2020 4,46x
Capitalization 13 696 M
Chart FORTINET
Duration : Period :
Fortinet Technical Analysis Chart | MarketScreener
Full-screen chart
Technical analysis trends FORTINET
Short TermMid-TermLong Term
TrendsNeutralNeutralNeutral
Income Statement Evolution
Consensus
Sell
Buy
Mean consensus OUTPERFORM
Number of Analysts 32
Average target price 95,11  $
Last Close Price 80,10  $
Spread / Highest target 37,3%
Spread / Average Target 18,7%
Spread / Lowest Target -2,62%
EPS Revisions
Managers
NameTitle
Ken Xie Chairman & Chief Executive Officer
Michael Xie President, Director & Chief Technology Officer
Keith Franklin Jensen CFO, Chief Accounting Officer & Controller
Christopher B. Paisley Lead Independent Director
William H. Neukom Independent Director
Sector and Competitors
1st jan.Capitalization (M$)
FORTINET13.73%13 696
ACCENTURE34.43%120 776
INTERNATIONAL BUSINESS MACHINES CORPORATION15.47%116 865
TATA CONSULTANCY SERVICES16.45%115 499
AUTOMATIC DATA PROCESSING25.89%71 631
VMWARE, INC.3.81%58 251
Categories
Free services
Mobile App
Premium service
About
Stock Market Quotes Interactive brokers Offre Binck Best of des tweets Stock Market News Börse: Aktien, Kurse und Nachrichten
Copyright © 2019 Superformance. All rights reserved. Market data are provided by Factset, Morningstar and vwd Group