Trojan.BLT is a remote access trojan associated with a major APT campaign. In this blog post, we will discuss how to detect its network activity using RSA Security Analytics.
When it infects a victim machine, the RAT launches a new instance of cmd.exe and uses the “ipconfig/all” command to collect the system MAC address. It sends the MAC address in clear text to its C2 server via an HTTP POST request as seen in the screenshot below:
The URL varies from one Trojan.BLT variant to another:
Assuming the appropriate meta keys are enabled, the following query can be used to detect Trojan.BLT network activity:
action = 'put' && extension = 'asp' && (query begins 'rsv_info=' || query begins 'hostid=')
Scan results for a Trojan.BLT variant can be viewed here.
All of the IOCs from those HTTP sessions were added to the following RSA FirstWatch Live feeds:
- RSA FirstWatch APT Threat Domains
- RSA FirstWatch APT Threat IPs
If threat.desc meta key is enabled then you can use the following app rule:
threat.desc = 'apt-blt-c2'