How to catch a RAT at ABN AMRO Bank
Edited by Claus Houmann
Amsterdam is a city filled with canals, ships, cheese and currently undergoing a mice-and-rat problem. That’s one thing I do not enjoy about living there. According to the Telegraph, these vermin are so very brazen. Shocked dinner guests have witnessed “mice sitting in the middle of the table, munching on breadsticks and quaffing tiny glasses of port.” I am barely used to the prospect of rodents around food or stealing my hard-earned booze. A RAT running around my bank, possibly stealing logins and hard-earned cash, this I find unacceptable.
In early 2017, a friend asked if I would help him with a big workshop he was creating for work. Four days before the scheduled date of the workshop, he’d written nothing at all. Another surprise was that he’d informed the bank that I would be delivering the three-hour workshop, which obligated me to write it, on very short notice, with my reputation on the line, for free. Apparently, beggars can be choosers and he stipulated that it not be too hacker(ish). Allotting a few precious hours, all I had, the hunt began. Friendly tip, don’t ever tell a hacker not to be too hacker(ish), it’s like telling a woman during a heated argument to calm down.
Research spilt into the weekend, and on Sunday evening, a glass of wine in hand, pay dirt. A Remote Access Trojan. An ABN Amro bank server, with a login portal for commercial finance service customers, email services, a redirected webpage to the United Kingdom and a RAT. XtremeRAT, version 3.6, which is a commonly pirated, cracked version. My “why the hell am I doing this” frown turned into a beaming smile. Shodan nicely reported the HTTP error response codes which match exactly with this RAT and version, no mistake.
Tuesday morning came, the workshop participants were mainly developers and crisis managers in IT. They introduced themselves, with the lead explaining they had recently passed a series of expensive penetration tests by a big four consulting company. He smiled widely, eyes bright showing how proud he was of the good score from an expert consulting firm. A nice guy, I empathized with him, knowing that optimism and pride was about to turn into shock and dismay. The team were all quite lovely, making me feel a wee little bit like a doctor about to tell a patient’s family really bad news.
I kept it exciting but tried to be realistic. Explaining my findings with reference to the OWASP Top Ten. I suggested that they consider the moving >150K Euro budget spent on a big four pentest, and invest it in instead in a bug bounty program for a greater return on investment. Afterwards, we headed to the security department to report the RAT. I was anticipating the security department would prioritise the investigation. Floor by floor we searched for anyone in the elusive security department as if they vanished when confronted with the possibility of responsible disclosure. Eventually, we found a lightly scowling security manager whose body language and attitude expressed his happiness and joy at receiving my report, all whilst attempting to deny the server belonged to the bank.
Sadly, weeks went by. and nothing had changed. Informally inquiring, the story conveyed was disappointing. The happy go lucky security manager, instead of considering the matter led internal parties to believe my motivations were purely monetary and I didn’t know much about security. Unfortunately, following some correspondence with the bank, ABN appeared unwilling to purchase their own Shodan account to verify my findings. Instead, they put more effort into maintaining a denial than into doing actual security. I lost interest dealing with a situation costing me time and money with zero return.
XtremeRAT service banner call output raw
<!DOCTYPE HTML PUBLIC “-//W3C//DTD HTML 4.01 Transitional//EN”\n “http://www.w3.org/TR/html40/loose.dtd">\n\n<html>\n<head>\n <title>Error Response</title>\n</head>\n<body>\n<h1>Error Response</h1>\n<p>\n Error code 400: Bad request syntax or unsupported method: <i>Bad HTTP/0.9 request type (\’myversion|3.6\’).</i>\n</body>\n</html>
ABN AMRO is partially owned by the Dutch government and considered critical infrastructure. After speaking with a Dutch Minister at a cyber warfare exercise I was helping to led in Brussels in June 2017. The Dutch NCSC-NL is the computer emergency response team for the country, similar to US-CERT. I sent a full report to the Dutch government and left it in their capable hands.
