BlackNET Remote Access Trojan

First observed in February 2019, BlackNET is a remote access trojan written in PHP, .NET, and Python. At the time of publication, BlackNET's source code is available through Github, with its author making no attempts to disguise its malicious nature.

Threat ID:: CC-3408
Category:: Trojan
Threat Severity:: Medium
Threat Vector:: Email spam
Published:: 25 March 2020 12:00 AM

Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

Affected platforms

The following platforms are known to be affected:

Microsoft Windows

Microsoft Windows - All versions

Threat details

BlackNET is delivered via large-scale spam campaigns using lure documents for a non-existent anti-virus service claiming to protect against Covid-19. When users interact with links in these documents they are taken to a domain where they are asked to input their email address. Once this is done, BlackNET is dropped on their system.

When installed, BlackNET will make anti-analysis and security checks to ensure it is not running in a virtual environment. It will then collect user and system information and send it to command and control server before awaiting further instructions. By default, BlackNET is able to:

Launch distributed denial-of-service attacks (ARME, Bandwidth flood, HTTPGet, POSTHttp, Slowloris, TCP, and UDP).
Download and execute files or scripts.
Log keystrokes using LimeLogger.
Take screenshots.
Extract web browser credentials and cookies.
Extract cryptocurrency wallet credentials.

Remediation steps

Type	Step
	To prevent and detect a trojan infection, NHS Digital advises that: Secure configurations are applied to all devices. Security updates are applied at the earliest opportunity. Tamper protection settings in security products are enabled where available. Obsolete platforms are segregated from the rest of the network. IT usage policies are reinforced by regular training to ensure all users know not to open unsolicited links or attachments. Multi-factor authentication (MFA) and lockout policies are used where practicable, especially for administrative accounts. Administrative accounts are only used for necessary purposes. Remote administration services use strongly encrypted protocols and only accept connections from authorised users or locations. Systems are continuously monitored, and unusual activity is investigated, so that a compromise of the network can be detected as early as possible. Please note that NCSC maintains guidance for securely configuring a wide range of end user device (EUD) platforms. For further details refer to their end user device security guidance pages.

Type

Step

To prevent and detect a trojan infection, NHS Digital advises that:

Secure configurations are applied to all devices.
Security updates are applied at the earliest opportunity.
Tamper protection settings in security products are enabled where available.
Obsolete platforms are segregated from the rest of the network.
IT usage policies are reinforced by regular training to ensure all users know not to open unsolicited links or attachments.
Multi-factor authentication (MFA) and lockout policies are used where practicable, especially for administrative accounts.
Administrative accounts are only used for necessary purposes.
Remote administration services use strongly encrypted protocols and only accept connections from authorised users or locations.
Systems are continuously monitored, and unusual activity is investigated, so that a compromise of the network can be detected as early as possible.

Please note that NCSC maintains guidance for securely configuring a wide range of end user device (EUD) platforms. For further details refer to their end user device security guidance pages.

Indicators of compromise

Main indicators

URLs

antivirus-covid19[.]site
corona-antivirus[.]com
davidbotnet[.]000webhostapp[.]com/blacknet
davidescu[.]000webhostapp[.]com/BlackNET Panel/
homedeco[.]id/
imdavidfree[.]000webhostapp[.]com//BlackNET%20Panel
impieselfree[.]000webhostapp[.]com/blacknet
instaboom-hello[.]site
piratashost[.]top:82/panel/

MD5 File Hashes

1fd19fcca59ed976ee57640dafba5518
2033caac6e8064bd845004d4d628ebe3
281a4bbd61d5e5e310c407b10dafb78c
31dc0a5c441b531e029a4158354a1529
3d28dc46e048daee4974dc5e2fe08bfd
4a9102b122d9a8dcfe693693f4d91910
52cd657b18efdbd92f7347d439016c6b
53c1d9cbf7ca1147880de072d64980dd
601b4e3b04069beed78e8ce1d2859d4a
6947014e2a2b60445860bfaf5ba35dc6
6d34058315b46deb297c3d7f712f7451
6e36e783324800952f4c0ebea2262fb9
6fa52977cb3aef5606900cd7a11df4da
7e88ccc91e0f9a242c4723e43afa93ab
83614ce163a71a04fb450f5cd55bfb9f
8c7e485a40ba5f1881801e56ca298eb0
8d72b32f0d9796443218f1363324f731
8ea79fb698558a8fbed892a8297f3f4b
9b4402ac464744fd4ed118c956752bbc
bdfa464369c660fabff9ec700c49bab9
c736fcdba9c96eb9b7d8f65e6ab8a4c9
cd1084d9755db2a38402df2171f25948
d25ee82934bec167345502a1e7e3c931
d45bac3b009058b11cabc7a9b4048c8d
dc4cf73a81f74f4aa3ec5224ba2cee91
e829cf7a744547e5f1aca6f53061a7b7

SHA256 File Hashes

146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4

Last edited: 29 June 2021 12:00 pm