RAT malware
On October 25, 2019, a suspicious ELF file (80c0efb9e129f7f9b05a783df6959812) was flagged by our new threat monitoring system. At first glance, it seems to be just another one of the regular botnets, but we soon realized this is something with potential link to the Lazarus Group. | |
A few weeks ago, Talos published research on a Korean MalDoc. As we previously discussed this actor is quick to cover their tracks and very quickly cleaned up their compromised hosts. We believe the compromised infrastructure was live for a mere matter of hours during any campaign | |
DarkKomet is a freeware remote access trojan that was released by an independent software developer. It provides the same functionality you would expect from a remote access tool: keylogging, webcam access, microphone access, remote desktop, URL download, program execution, etc. | |
Cisco Talos recently observed a malware campaign delivering a malicious Microsoft PowerPoint document using a mailing list run by the Central Tibetan Administration (CTA), an organization officially representing the Tibetan government-in-exile. The document used in the attack was a PPSX file, a file format used to deliver a non-editable slideshow derived from a Microsoft PowerPoint document | |
Talos has discovered a new malicious Hangul Word Processor (HWP) document targeting Korean users. If a malicious document is opened, a remote access trojan that we're calling "NavRAT" is downloaded, which can perform various actions on the victim machine, including command execution, and has keylogging capabilities. | |
Over the past several months, Cisco Talos has observed a malware campaign that utilizes websites hosting a new version of Loda, a remote access trojan (RAT) written in AutoIT. | |
This RAT is dropped to a victim's endpoint using malicious Microsoft Office Documents (maldocs). The maldocs aim to achieve persistence for the second-stage implant that contains a variety of RAT capabilities, which we're calling "ObliqueRAT." In this post, we illustrate the core technical capabilities of the maldocs and the RAT components including. | |
RevengeRAT is a publicly available Remote Access Trojan released during 2016 on the Dev Point hacking forum and it is known to be capable of opening remote shells, allow the attacker to manage system files, processes, and services, edit the Windows Registry, track the victim's IP address, edit the hosts file, log keystrokes, dump users passwords, and access the webcam, among many others. | |
Orcus has been advertised as a Remote Administration Tool (RAT) since early 2016. It has all the features that would be expected from a RAT and probably more. The long list of the commands is documented on their website. But what separates Orcus from the others is its capability to load custom plugins developed by users, as well as plugins that are readily available from the Orcus repository. In addition to that, users can also execute C# and VB.net code on the remote machine in real-time. | |
A remote access Trojan named Parallax is being widely distributed through malicious spam campaigns that when installed allow attackers to gain full control over an infected system. | |
Cisco Talos has discovered a new malware campaign based on a previously unknown family we're calling "PoetRAT." At this time, we do not believe this attack is associated with an already known threat actor. Our research shows the malware was distributed using URLs that mimic some Azerbaijan government domains, thus we believe the adversaries in this case want to target citizens of the country Azerbaijan, including private companies in the SCADA sector like wind turbine systems. | |
Talos has identified two different versions of a RAT, otherwise known as a remote access trojan, that has been written entirely in Python and is wrapped into a standalone executable. The RAT is impacting users of a Brazilian public sector management school. | |
"JhoneRAT." This new RAT is dropped to the victims via malicious Microsoft Office documents. The dropper, along with the Python RAT, attempts to gather information on the victim's machine and then uses multiple cloud services: Google Drive, Twitter, ImgBB and Google Forms. | |
During our open-source investigation, we came across a sample aptly named "new infected CORONAVIRUS sky 03.02.2020.pif." This file was likely delivered as an attachment to an email in some sort of compressed archive. Upon execution, the RAT is installed and persistence is achieved by creating links in the user's startup folder, as well as the creation of several scheduled tasks, and establishing command and control communications with a dynamic DNS provider domain, which is fairly common with RAT distribution. | |
A .NET based keylogger and RAT readily available to actors. Logs keystrokes and the host's clipboard and beacons this information back to the C2. | |
njRAT, also known as Bladabindi, is a Remote Access Trojan or Trojan which allows the holder of the program to control the end user's computer. It was first found in June 2013 with some variants traced to November 2012. It was made by a hacking organization from different countries called Sparclyheason and was often used against targets in the Middle East. It can be spread through phishing and infected drives. It is rated "severe" by the Microsoft Malware Protection Center. | |
In July 2016, KrebsOnSecurity published a story identifying a Toronto man as the author of the Orcus RAT, a software product that’s been marketed on underground forums and used in countless malware attacks since its creation in 2015. | |
Gh0st RAT is a Trojan horse for the Windows platform that the operators of GhostNet used to hack into many sensitive computer networks. It is a cyber spying computer program. The "Rat" part of the name refers to the software's ability to operate as a "Remote Administration Tool". The GhostNet system disseminates malware to selected recipients via computer code attached to stolen emails and addresses, thereby expanding the network by allowing more computers to be infected. | |
The Cerberus banking Trojan that appeared on the threat landscape end of June 2019 has taken over from the infamous Anubis Trojan as major rented banking malware. While offering a feature-set that enables successful exfiltration of personally identifiable information (PII) from infected devices, Cerberus was still lacking features that could help lowering the detection barrier during the abuse of stolen information and fraud | |
The Gustuff banking Trojan, first spotted in 2016, went through quite a long journey of enhancements since its appearance on the threat landscape. Although originally built based on the infamous Marcher malware, it went through a major refactoring, introducing considerable changes in its architecture and feature set. | |
Having its roots as a “dropper services” as described in our BianLian blog, Hydra went a long way from using outdated overlay attack techniques, to a fully capable banking malware. Although still having such capability, starting from February 2019, Hydra is no longer used as dropper but as a functional and stand-alone banking Trojan. | |
Ginp appeared on the threat landscape in the second half of 2019 as a simple SMS stealer, completely written from scratch. It is not unusual to see actors attempt to create new malware now and then, but in this particular case the malware started to evolve rapidly, going through frequent development cycles. | |
Although no longer officially supported since the conviction of its author, Anubis is still a common choice of criminals when it comes to Android banking malware. Since both client and server source code are publicly accessible for free, this does not come as a surprise. Some of the new users even made changes to it, fixing the bugs and gradually improving some aspects of the Trojan to sell or rent it in underground forums. | |
Bifrost is a backdoor trojan horse family of more than 10 variants which can infect Windows 95 through Windows 10 (although on modern Windows systems, after Windows XP, its functionality is limited). | |
Sub7, or SubSeven or Sub7Server, is a Trojan horse program.[1] Its name was derived by spelling NetBus backwards ("suBteN") and swapping "ten" with "seven". Sub7 has not been maintained since 2004. | |
Back Orifice | Developed by the hacker group Cult of the Dead Cow, Back Orifice is one of the well-known examples of the RAT. This malware is specifically designed to discover security deficiencies of Windows operating systems. |
Saefko | In October 2019, researchers at Zscaler ThreatLabZ uncovered a new piece of RAT malware called Saefko. It can retrieve Chrome browser history in order to learn about information cryptocurrency-related activities. |
CrossRAT | If you are using macOS, Windows, Solaris or Linux, you are more prone to CrossRAT, which is an undetectable type of RAT. Once a victim falls prey to the attack, his computer is remotely controlled by malicious actors who make it perform functions to their own liking, such as taking screenshots or/and stealing personal data. |
Beast is another type of malware that mostly attacks Windows operating systems. It was developed in 2002 and is still in use to a large extent. Until recently, it attacked a series of operating systems ranging from Windows 95 to Windows 10. Beast uses a client-server architecture similar to Back Orifice, with a server part of the system being the malware that is surreptitiously installed on the victim machine. | |
Blackshades is an off-the-peg hacking tool that propagates the RAT by sending out links to infected web pages or/and social media contacts of the infected user. Upon successful installation, hackers install botnet functions that get the victim’s machine to launch Denial of Service (DoS) attacks. In addition, the infected computer can also act as a proxy server to route hacker traffic and hide other hacking activities. | |
Mirage | Mirage is the key RAT malware launched by APT15 (or Advanced Persistent Threats 15), which is a clandestine state-sponsored Chinese cyber-espionage group. Mirage attacked the government and military establishment of the UK in 2017 but was not made public until 2018. |
APT15 | infiltrates specific users through the employment of basic tools, which are then customized to conduct tailored data exfiltration once the computer has been compromised. A new and improved version of this malware is Mirage RAT, which was developed in June 2018. |
Sakula | is believed to be associated with the recent OPM attack. It is signed, looks like benign software, and provides the attacker with remote administration capabilities over the victim machine. Sakula initiates simple HTTP requests when communicating with its command and control (C&C) server. The RAT uses a tool called “mimkatz” to perform “pass the hash” authentication, which sends the hash to the remote server instead of the associated plaintext password. |
KjW0rm | is believed to be associated with the recent breach of TV stations in France. KjW0rm was written in VBS, which makes it even harder to detect. The Trojan creates a backdoor that allows the attacker to take control of the machine, extract information, and send it back to the C&C server. (For more information about KjW0rm read this SentinelOne blog.) |
Havex | targets industrial control systems (ICS). It is very sophisticated and provides the attacker with full control over the infected machine. Havex uses different variants (mutations) and is very stealthy. The communication with its C&C server is established over HTTP and HTTPS. Its footprint inside the victim machine is minimal. |
Agent.BTZ/ | is one of the most notorious and well known RATs. Believed to be developed by the Russian government to target ICS networks in Europe, Agent.BTZ (also known as Uroburos) propagates via phishing attacks. It uses advanced encryption to protect itself from analysis, provides full administration capabilities over the infected machine, and sends extracted sensitive information back to its C&C server. Agent.BTZ uses advanced anti-analysis and forensic techniques. |
provides comprehensive administration capabilities over the infected machine. It was first identified in 2011 and still infects thousands of computers without being detected. Dark Comet uses Crypters to hide it existence from antivirus tools. It performs several malicious administrative tasks such as: disabling Task Manager, Windows Firewall, and Windows UAC. | |
AlienSpy | targets Apple OS X platforms. OS X only uses traditional protection such as antivirus. AlienSpy collects system information, activates webcams, establishes secure connections with the C&C server, and provides full control over the victim machine. The RAT also uses anti-analysis techniques such as detecting the presence of virtual machines. |
Heseber BOT | deploys Virtual Networking Computing (VNC) as part of its operation. Since VNC is a legitimate remote administration tool, this prevents Heseber from being detected by any antivirus software. Hesber uses VNC to transfer files and provide control over the infected machine. |
Koobface is a network worm that attacks Microsoft Windows, Mac OS X, and Linux platforms. This worm originally targeted users of networking websites like Facebook, Skype, Yahoo Messenger, and email websites such as GMail, Yahoo Mail, and AOL Mail. It also targets other networking websites, such as MySpace, Twitter, and it can infect other devices on the same local network |