We recently came across a cyber attack that used a remote access Trojan (RAT) called Lost Door, a tool currently offered on social media sites. What also struck us the most about this RAT (detected as BKDR_LODORAT.A) is how it abuses the Port Forward feature in routers. Using this feature enables remote systems to connect to a specific computer or service within a private local-area network (LAN). However, when used maliciously, this feature allows remote attackers to mask their activities in the network and avoid immediate detection. Because this RAT is easy to customize, even knowledge of the indicators of compromise (which may change as a result) may not be sufficient in thwarting the threat. Easily customizable RATs like Lost Door can be hard to detect and protect against, posing a challenge to IT administrators.
Unlike most attack tools that one can only find in cybercriminal underground markets, Lost Door is very easy to obtain. It’s promoted on social media sites like YouTube and Facebook. Its maker, “OussamiO,” even has his own Facebook page where details on his creation can be found. He also has a dedicated blog (hxxp://lost-door[.]blogspot[.]com/) where tutorial videos and instructions on using the RAT is found. Any cybercriminal or threat actor can purchase and use the RAT to launch attacks.
Figure 1. Facebook page advertising Lost Door RAT
Figure 2. Blog promoting Lost Door RAT
Besides selling the tool’s source code, OussamiO also offers customers the option to download a compiled sample free of charge. This could be a way to entice users of the said free sample to buy the full version of the RAT for their own attack needs.
We can say that Lost Door RAT’s creator is brazen, in that he relies on the Surface Web to advertise his tool. He does not exert effort to hide his tracks by going into the Deep Web. This is not to say that this tool is not available in the underground, though. While conducting research, we spotted Lost Door builders in different underground markets, such as those in Russia, China, and Brazil since 2009.
Figure 3. Lost Door RAT v8 builder
Figure 4. Lost Door RAT v8 offering in the Brazilian underground market
Easily customizable
Since Lost Door’s emergence in 2007, its creator has released various versions, the latest being Lost®Door E-Lite v9. Like other notorious RATs such as PlugX and Poison Ivy, Lost Door is easy to customize to include new and varying routines. One can choose from a wide array of predefined server builds and other options for propagation, anti-analysis, stealth, and persistence, among others. Cybercriminals can also include worm capabilities, backdoor commands, and even keylogging routines to customize their RATs; both the Facebook and Blogspot pages where the RAT is offered have step-by-step instructions to guide attackers or even newbie cybercriminals in customizing their versions.
Figure 5. Lost Door E-Lite v9 builder
As mentioned earlier, Lost Door leverages the routers’ Port Forward feature, a tactic also used by DarkComet. By abusing this feature, a remote attacker can gain access to the server side of a private network whether at home or in an office. This also means that any malicious traffic or communication can be passed off as normal/internal, thereby helping attackers mask their C&C address, since the server side does not directly connect to it. Instead, they only need the target router’s IP address and access to its open ports (after configuring it to port forward network traffic). Using Port Forward feature also evades network monitoring, as it only connects to an internal/router IP address. Our analysis also shows that this RAT connects to an internal IP address, 192[.]168[.]1[.]101 via port 9481. Both IP address and port can be customized through the builder as well.
Other features of the latest Lost Door include printing of files via the remote printer, executing apps, and gathering information from the Clipboard memory. This RAT also supports different languages: English, Arabic, French, Spanish, Polish, Italian, and Swedish. In the Blogspot page, OussamiO mentions that if anyone wishes to add another language, they can translate the English version and share the link to the Facebook fan page of Lost Door.
Mitigation
Because this threat is customizable, IT administrators may find it hard to detect this on their network due to the changing indicators of compromise (IoC). We listed down the following unique strings we gathered that can serve as starting point in detecting Lost Door RAT:
- Welcome to Lost Door E-Lite v9.1
- We Control Your Digital Worlds
- E-Lite v9.1
- \ \Nouveau dossier\OussamiO\Coding\My Softs\Max Security KiT By UniQue OussamiO\2\SLostDoor\Kner.vbp
In addition, the following is the YARA rule for this threat.
rule lodorat_code
{
meta:
author = “Trend Micro, Inc.”
description = “system infected with lodorat”
in_the_wild = truestrings:
$s1 = “OussamiO” wide ascii
$s2 = “Welcome To Lost Door” wide ascii nocase
$s3 = “E-Lite v9” wide ascii nocase
$s4 = “We Control Your Digital Worlds”$a1 = /shutdown.{0,5}(-s|-r).{0,5}[0-9]*/i
$a2 = /(D:|E:|F:)\\Music.exe/i
$a3 = “C:\\Program Files\\LimeWire”
$a4 = “C:\\Program Files\\eMule”
$a5 = “C:\\Program Files\\Morpheus”
$a6 = “C:\\Program Files\\Bearshare”
$a7 = “C:\\Program Files\\Kazaa”
$a8 = “C:\\Program Files\\Ares”$r1 = /CurrentVersion\\Policies\\System\\(DisableTaskMgr|DisableRegistryTools)/i
condition:
any of ($s*) and (2 of ($a*) or $r1) or
2 of ($s*)
}
Early detection of Lost Door RAT can prevent dire consequences like information theft and further infection in the enterprise network. We protect our users and their systems from the dangers this threat may pose via Trend Micro™ Deep Discovery. Its Sandbox with Script Analyzer can detect and analyze Lost Door RAT. Our endpoint products such as Trend Micro™ Security, Smart Protection Suites, and Worry-Free Business Security can detect this RAT as well.
With additional analysis from Joey Costoya, Lion Gu, Rhena Inocencio, and Fernando Merces
