ahsonbol

Detecting Trojan.BLT variants using Security Analytics

Blog Post created by ahsonbol on Dec 4, 2015

Trojan.BLT is a remote access trojan associated with a major APT campaign. In this blog post, we will discuss how to detect its network activity using RSA Security Analytics.

When it infects a victim machine, the RAT launches a new instance of cmd.exe and uses the “ipconfig/all” command to collect the system MAC address. It sends the MAC address in clear text to its C2 server via an HTTP POST request as seen in the screenshot below:


125815


The URL varies from one Trojan.BLT variant to another:


125826


Assuming the appropriate meta keys are enabled, the following query can be used to detect Trojan.BLT network activity:

          action = 'put' && extension = 'asp' && (query begins 'rsv_info=' || query begins 'hostid=')


Scan results for a Trojan.BLT variant can be viewed here.


All of the IOCs from those HTTP sessions were added to the following RSA FirstWatch Live feeds:

  • RSA FirstWatch APT Threat Domains
  • RSA FirstWatch APT Threat IPs

If threat.desc meta key is enabled then you can use the following app rule:

          threat.desc = 'apt-blt-c2'

Outcomes