Trojan:MSIL/Metasploit.DA!MTB

In its essence, Trojan:MSIL/Metasploit.DA!MTB consists of a Meterpreter module that has been modified for .NET, and it can either act as immediate or phased reverse shell over various protocols including TCP, HTTP, or HTTPS, often using encryption to keep communication secure. In a phased situation, the small .NET initializer is launched first and downloads the entire payload from the control server, which acts to minimize the risk of detection. The trojan uses .NET interfaces including platform invoke (P/Invoke) to call native functions including memory allocation with equivalent to VirtualAlloc to allocate RAM space, again, sometimes 1MB in the samples examined to run code inside an existing thread, not as a newly created process. The trojan embeds itself inside an existing .NET or system process to blend in. 

The compromised host reaches a specific endpoint and will create and/or process data packets. The basic/simple forms do not have any encryption, while more advanced ones would use RC4 with custom keys. Some of the control points observed for this trojan were variable addresses such as 179[.]60.147[.]4 on port 58731, 108[.]62.118[.]160, or local testing of 192[.]168.68[.]21 on ports 4444 and 1337, where the obfuscation mostly relied on custom strings for better evasion. Capabilities include the ability to run commands from .NET environments, transfer files back and forth, capture interfaces, log keystrokes for potential credential harvesting, and include tools equivalent to .NET but are like Mimikatz for credential extraction. More advanced capabilities include probing environments, redirecting traffic to other end points, and privilege escalation for lateral movement. 

The analyzed payload is engineered to avoid forensic detection by operating without writing persistent files to the disk, instead sourcing additional components from transient, short-lived hosts. While the core sample itself is non-persistent, a threat actor can establish persistence on the compromised machine by modifying system configurations. This can include altering .NET settings, creating scheduled tasks via timers, or hiding malicious binaries within legitimate system processes. 

Communication between the payload and its command and control (C2) server is structured using a Type-Length-Value (TLV) protocol, which efficiently organizes commands and data over the established network channel. This system supports the dynamic loading of extensions that expand the malware capabilities. Key among these is the stdapi extension, which provides a wide array of functions for system interaction, such as file system manipulation and network enumeration. The malware can also load specialized modules for privilege escalation. 

To secure this communication from interception, all data exchanged through these channels is encrypted. The payload typically implements an encryption scheme functionally equivalent to TLS 1.0 within its .NET-based communication protocol. Furthermore, the malware can operate in a fully file-less manner by employing reflective loading techniques. These techniques allow it to load .NET assemblies directly into memory without creating a traceable file on the disk, resulting in a lack of deterministic forensic artifacts. This memory-resident approach facilitates stealthy activities like process migration and lateral movement while effectively evading detection by security software.