Sign up for our weekly newsletter!
REGISTER NOW |
||
|
||
This RAT Doesn't Squeak Much![]() Larry Loeb, Author, 8/13/2019
The Zscaler ThreatLabZ team came across a new remote-access trojan (RAT) for sale on the dark web. The RAT, called Saefko, is written in .NET and has multiple functionalities. A RAT is a type of malware that includes a backdoor for remote administrative control of the target, and this one is no exception. The RAT can monitor target behavior through the logging of user keystrokes, accessing confidential information, activating the system's webcam, taking screenshots, formatting drives and the like. The Saefko RAT will stay in the background and executes every time the user logs in. It does this by creating a startup key to execute the malware at login. Other observed behavior includes fetching the chrome browser history looking for specific types of activities like credit cards, business, social media, gaming, cryptocurrency and shopping. It phones home to a command-and-control (C&C) server, and sends it what it has found. The C&C can tell the malware to download an additional payload as well. It will check to see whether the Internet connection is active. It will then use the Chrome browser history to search for particular websites that have been visited by the user and makes a count of those that have been visited. This gives the attacker information to decide which systems it should target first from all systems it has infected. Zscaler's blog contains a list of the exact websites that it will be searching for, but is too lengthy for this article. After that, Saefko begins the "StartServices" function, which has four different infection modules to it. They are HTTPClinet (that's how it spells Client), IRCHelper, KEYLogger, and StartLocalServices (USB spreading). Don't forget those video sources. Saefko will search for AForge.dll, AForge.Video.DirectShow.dll, AForge.Video.dll and Sqlite3.dll in the system. it searches for a list of video input devices on the targeted system and sends all the related information to the C&C. Oh yes, it will send a snapshot from the device it has determined is present on the system. The video frame is encodes with Base64 and sent to the C&C for any further nefarious utilization. Boy howdy, this one does stuff. Zscaler does have some advice, though. "At the administrative level," they post in the blog, "it's always a good idea to block unused ports, turn off unused services, and monitor outgoing traffic. Attackers are often careful to prevent the malware from doing too much activity at once, which would slow down the system and possibly attract the attention of the user and IT." That happens to be a very good point. You can't fix RAT unless you know you have it. — Larry Loeb has written for many of the last century's major "dead tree" computer magazines, having been, among other things, a consulting editor for BYTE magazine and senior editor for the launch of WebWeek. |
One of the most prevalent threats to the financial sector, the Dridex Trojan, was the subject of a recent alert.
Aviatrix, an enterprise VPN company with customers that include NASA, Shell and BT, has recently dealt with a vulnerability that was uncovered by Immersive Labs researcher and content engineer Alex Seymour.
Security firm CyberArk is now finally able to discuss a major OAuth 2.0 vulnerability that affects Microsoft Azure web services.
Be alert, be aware, and be careful about what you reveal of your company's internal processes on social media.
The Microsoft Defender ATP Research Team has begun to discuss a polymorphic threat, Dexphot, that it has been tracking for over a year.
Information Resources
upcoming Webinars
ARCHIVED
Top Tips for Blocking pwned [email protected]$$wOrds in Your Organization
Tuesday, October 29, 2019
12 p.m. New York/ 4:00 p.m. London Podcasts
Podcast: Infrastructure Hunting – Stopping Bad Actors in Their Tracks
Being able to effectively build a threat intelligence ecosystem or threat-hunting identification response requires both user and systems sophistication and capabilities. Security, orchestration, automation and response (SOAR) is a new technology designed to provide organizations a single comprehensive platform they can use to implement an intelligence driven security strategy.
Podcast: Digital Transformation, SD-WAN & Optimal Security
Dan Reis chats to Cybera's Josh Flynn about how to achieve digital transformation without sacrificing security. ![]() like us on facebook
|
|
![]() |
||
![]() |
Security Now
About Us
Contact Us
Help
Register
Events
Supporting Partners
Twitter
Facebook
RSS
Copyright © 2019 Light Reading, part of Informa Tech, a division of Informa PLC. All rights reserved. Privacy Policy | Cookie Policy | Terms of Use in partnership with
|