RATicate malware gang goes commercial

by certadmin

Two months ago, we wrote about a malware gang that we dubbed RATicate.

These criminals have been actively disseminating a range of remote access Trojans – thus the letters RAT in their nickname – aimed at giving them almost complete control over infected computers, all from a distance.

As we explained earlier in the year, the jargon term RAT is very commonly associated with malware that gives criminals remote access to your webcam, usually for sleazy, voyeuristic purposes.

Indeed, the name RAT was originally coined as a metaphor that referred as much to the criminals that deployed the malware as to the malware itself.

But few RATs were ever just about surreptitious access to webcams and screenshots.

Remote access tools of this sort are more generally known as bots, short for software robots, or zombies, because they lie in wait for commands to arise and wreak havoc.

And almost every zombie out there supports, in addition to any built-in features such as file stealing, screen capturing and webcam snooping, a generic command by which it can update and replace itself with completely new malware, or download and install new malware to run alongside itself.

As we wrote back in May 2020:

The RAT variants delivered by this group of crooks included the zombie malware families Betabot, Lokibot, Formbook, AgentTesla, Netwire, Bladibindi and more.

ophosLabs has been tracking the RATicate crew since its last report, and has just published a follow-up article detailing new findings about the way the gang operates.

RATicate is what we call a MaaS group, short for malware-as-a-service, a play on legitimate offerings such as SaaS (software-as-a-service) and IaaS (infrastructure as a service).

The new report gives an intriguing insight into what you might call the artisan economy in the cyberunderground, where different groups of crooks focus on different cybercrime services.

The RATicate operators even seem to have given their “customers” nicknames that we dubbed actor_tags, such as lanrebillaush0ly and pope.


Change in delivery

Two months ago, we described how RATIcate’s malware delivery tool of choice was the NSIS installer, a legitimate and widely-used toolkit for packaging applications into single-file bundles that can be double-clicked to install.

NSIS installers have the upside, for criminals at least, of having an air of legitimacy – many software products use NSIS, so using it for wrapping up malware is, in effect, hiding in plain sight.

But the downside is that NSIS installers aren’t meant to be devious or obfuscated – by design, they’re meant to follow a well-defined format, making them comparatively easy for security researchers to extract and analyse.

The RATicaters worked around this by packing their installers full of decoy files, including text documents, source code, Python scripts, images, XML data and legitimate program files (EXEs and DLLs) that weren’t malicious and might reasonably be expected in a genuine installer.

Guess what?

The RATicate crew recently switched to a more devious sort of software packer that went out of its way to make analysis and extraction of the embedded contents difficult.


To read the original article:



Interdit de copier  ce contenu