CSHARP-STREAMER, a Remote Access Trojan (RAT), was uncovered during an investigation of a ransomware attack involving Metaencryptor. This RAT, which uses publicly available techniques such as AMSI Memory Bypass and XOR-decryption, was deployed via a PowerShell loader. Notably, CSHARP-STREAMER has been linked to several high-profile ransomware campaigns, including ALPHV and REvil, and its use has been observed in multiple attacks since its discovery.
The variant of CSHARP-STREAMER recently analyzed differs from earlier versions. This new version lacks components like the MegaUpload client and ICMP C2 communication, focusing instead on TCP relay functionality for network pivoting. This method leaves specific forensic traces, such as EventID 2004 in Windows Event Logs and firewall rules created by “netsh.exe,” which can be detected using a Sigma rule by Michel de Crevoisier.
The RAT’s primary function involves executing PowerShell scripts for domain enumeration and network propagation, with Metaencryptor using its relay features. Researchers noted that earlier versions of CSHARP-STREAMER had debugging symbols and Chinese code, whereas newer versions show a trend of increased functionality and modularity. The malware’s evolving nature and use of various configurations suggest it operates in a malware-as-a-service model.
Detection methods for CSHARP-STREAMER include monitoring PowerShell script blocks, analyzing firewall rule creation, and searching for specific strings in memory. The malware’s activity is often linked to ransomware groups like Metaencryptor and LostTrusts, indicating that RATs are a critical component in initial access broker strategies. Further analysis and detection tools are crucial for identifying and mitigating this sophisticated malware.
Reference:
