Phishing Campaign delivers multi-feature, Open-Source Babylon RAT

December 2, 2019
remote administration tool rat phishing campaign malware

Remote Administration Tool (RAT) Summary

Babylon RAT as it used phishing campaign to deliver pervasively, an open-source platform that allows for various breaches. The encrypted traffic and the ability to create SOCKS proxies can help negate network security measures. The client builder allows for Anti-Virus bypassing which helps the binary get to the endpoint safely. The processes allowing for network propagation means an infection is not limited to one endpoint. Combined with the ability to perform a DoS attack, Babylon RAT can be highly effective in the proper environment.


Malware analysis

Key landscape:

  • Samples and administration panel were all written in C++, thisoffers the functionality to manage multiple server configuration options.
    • The port number in which the administration panel will open and listen in when the server is started.
    • A network key for authentication of the infection to the administration panel.
    • The configurations allow for the setting of the IP version in which it will connect. The File drop down at the top provides access to the server, configurations, and the payload builder.
  • Control feature allows the malware to manage multiple server configuration options around port numbers, network keys for authentication and IP versions.
  • Command and Control (C2) communication is encrypted, allows for dynamic domains, and can turn a client into a reverse SOCKS proxy for further obfuscation.This can also allow for a threat actor to require one exit point within a network, while maintaining the infection of multiple machines.
  • This weaponized RAT has many real-time client interaction methods and is capable of information theft.
  • The administration panel has features that can allow for lateral propagation across end points on a network. This tool has enough features that, if used correctly, could devastate any organization.
  • Distributed malware was also capable of using two different C&C domains for redundancy, deploying a password recovery module for harvesting credentials and conducting denial-of-service (DoS) attacks from the infected host.
  • Babylon RAT used to leverage other malware to target industrial enterprise.


Resiliency against Phishing-Borne Malware

Security practitioner can help secure their organizations against phishing-borne malware with ahead-of-threat detection to spot and stop employees from connecting to potentially damaging domains before they become aggressive. Organizations should also use a unified threat management system to inspect performance of all endpoints for unapproved third-party connections, which could also serve as your firewall, anti-malware, phishing protection.


About the author

Leave a Reply