Current SectopRAT trojan generates the second secret desktop for browser control sessions

The Clever Design Of Ursnif Fileless Trojan To Bypass Antivirus Detection

In the wild has emerged a new Trojan, SectopRAT, which has been able to start a secret secondary desktop for browser control on infected machines.

MalwareHunterTeam first found the new malware. MalwareHunterTeam said in a tweet on November 15, that the C #malware compiled on November 13th “creates[ a] secret desktop and runs[ a] selected application with full control over it.”

This has attracted the attention of G Data cybersecurity researchers, who obtained a second sample on November 14th, later sent to Virustotal.

Sectigo RSA Code Signing CA signs the first SectopRAT test and uses a Flash Icon, but the second is not authenticated. Remote Access Trojan (RAT) samples both use in their title arbitrary characters, have write / execute functionality and use ConfuserEx to obscure.

Researchers say that the malware includes a RemoteClient. Config class with four configuration valuables— IP, retip, filename and mutexName.

The IP variable relates to the server C2 of the Trojan, whereas the Retip variable is configured to create new C2 IPs, which can also be overridden by the server via the “place IP” command.

However, the filename and mutexName are set, but are not active.

Spoolsvc.exe is added to the persistence registry as a hard-coded file name, a simulation of the official Microsoft spoolsv.exe operation.

The Trojan can be ordered to either stream an active desktop session, or to create a secondary one that is hardcoded as “sdfsddfg,” hidden away from view, when connected to its C2. The researchers say that malware operators can use the command “Start window” to trigger a test session via the secondary desktop.

You can open Chrome, Firefox or Internet Explorer browser sessions. The malware can also change browser settings to remove security barriers and sandboxes. The browser paths are however hardcoded and do not use environmental variables.

The malware can also return software information to C2, such as the operating system name, processor data, core information and RAM.

Another “Get codec info” command has still to be implemented. “Despite obvious flaws like using hardcoded paths with no ambient variables to access system files, the RAT’s architecture, the use of a second desktop, changes in your browser configuration files and parameters show some in-house knowledge that is far from greenhorn,” the team says. “It’s quite likely that the first wild specimens were simply to be checked.” Compromise indicators (IoCs) are available here.


Leave a Comment


Welcome! Login in to your account

Remember me Lost your password?

Don't have account. Register

Lost Password