Beware! CSHARP-STREAMER Malware Attacking Windows Users

CSHARP-STREAMER, a Remote Access Trojan (RAT), was identified during an investigation of a ransomware attack using Metaencryptor, with a Powershell loader deploying CSHARP-STREAMER, which utilizes publicly available techniques, including AMSI-Memory-Bypass and XOR-decryption.  

These parts were made by security researchers GetRektBoy724 (XOR decryption) and a user on Github (AMSI Memory Bypass), which suggests that CSHARP-STREAMER has been used in more than one attack since it was first found, such as the deployment of ALPHV ransomware and campaigns linked to REvil and Operation White Stork. 

EHA
usage of the RAT’s TCP relay functionality

Researchers analyzed a variant of the CSHARP-STREAMER malware that differed from a previously reported version. This version lacked the MegaUpload client and ICMP C2 communication found in the older sample.

"Is Your System Under Attack? Try Cynet XDR: Automated Detection & Response for Endpoints, Networks, & Users!"- Free Demo

It utilized the RAT’s TCP relay functionality to pivot across internal networks, where this network hopping activity leaves forensic traces, including EventID 2004 in Windows Event Logs and a firewall rule for inbound TCP port 6667 created by “netsh.exe.”. 

A publicly available Sigma rule by Michel de Crevoisier can detect this specific behavior, as the threat actors used this technique sparingly, likely to bypass segmentation within the victim’s network. 

During their attempt to break into the system, the attackers made use of a Remote Access Trojan (RAT) that was known as Metaencryptor. 

Metaencryptor used the Relay-Feature to propagate across machines and adopted PowerShell scripts for domain user enumeration instead of the built-in CSHARP-STREAMER toolset, revealing the RAT’s primary function was to execute various PowerShell scripts.  

Monthly C2 activity

Researchers analyzed CSHARP-STREAMER, a modular malware likely used in a malware-as-a-service model or to evade detection.

Early versions (2020) contained debugging symbols and Chinese code, while later ones (version 2.10.x) had increasing version numbers. 

Two configurations were observed: one with a MegaUpload client and one without, as the researchers believe CSHARP-STREAMER was active in 2020 and likely 2022, despite not finding samples from that year. 

A significant rise in RAT usage coincided with a surge in victim exposure by ransomware groups like Metaencryptor (starting August 2023) and LostTrusts (August 2023). 

Although REvil/GoldSouthfield (2021) and another threat actor (Summer 2022) previously used RATs, some variations in tactics suggest an initial access broker may be selling RAT access to various ransomware groups, which is further supported by the malware’s use of multiple configurations and by different actors, like ALPHV. 

Detection Mechanism

Malware analysis by HiSolution reveals early development samples containing a debug path and typos like “ListRalays,” which can be used to create a Yara rule for identification. Notably, the malware seems to operate solely in memory.  

Further detection methods include logging PowerShell script blocks, monitoring firewall rule creation by netsh.exe, searching for specific strings in memory, identifying the “websocket-sharp/1.0” user agent, and analyzing specific web request headers.

Are you from SOC/DFIR Teams? - Sign up for a free ANY.RUN account! to Analyse Advanced Malware Files