Security researchers at Netomize have identified a new malware variant, which they have dubbed 'Shulfar,' that uses custom TCP encryption to mask its command-and-control (C&C) communications.
The discovery, detailed in a report from blog.netomize.ca, challenges recent findings from Splunk regarding a similar threat. While Splunk recently reported a variant of the Gh0stRat malware family delivered via CloverPlus adware, Netomize researchers argue that the new threat is distinct due to major differences in code structure, functionality, and communication protocols.
Netomize researchers named the malware 'Shulfar'—a reversal of its DLL export name, 'RAFlush.' The researchers noted that the malware utilizes two distinct communication channels: one via the HTTP protocol and another through a custom TCP packet payload.
Encrypted C&C communication
The malware operates as a 32-bit DLL written in C. According to the Netomize report, the custom TCP protocol employs a straightforward encryption algorithm using XOR and addition with a one-byte key to encrypt the payload.
Using the PacketSmith 'yara' detection module, researchers were able to identify the encrypted traffic without requiring a specific decryption key. The malware communicates with a C&C server at IP address 107.163.56.251 over TCP port 6658.
The researchers analyzed a sample of the malware, which matches the characteristics of the Gh0stRat variant referenced by the Splunk Threat Research Team. The identified file has a SHA-256 hash of ec6ef50587a847d4a655e9bfc5c1aee078005c0774a3e6fa23949cc4d8fbad3.
Before transmission to the server, the malware encrypts a packet containing system-specific information using a fixed one-byte key of 0x64. The decrypted packet contains the processor name, total physical memory, and the operating system version.
The packet structure also includes a check for a specific configuration file located at 'C:\qylxnhy\lang.ini'. If the file exists and contains specific criteria, the malware retrieves its buffer; otherwise, it defaults to a hardcoded C&C server address.
