New AbsoluteRAT in Testing - Binary Defense

Threat Watch

Share on facebook
Share on twitter
Share on linkedin

New AbsoluteRAT in Testing

A few days ago, Paul Melson (@pmelson) posted on Twitter about a new Remote Access Trojan (RAT) developed using the .NET framework, called “AbsoluteRAT” that had suddenly appeared. This RAT is supposedly from the same author as Njrat Golden, as seen by the name “Hassan Amiri” which can be found in the strings of both tools. As Paul states in his tweet, this new RAT borrows heavily from an open-source project calling itself “LimeRAT.” According to research by Binary Defense malware analyst Stephan Simon, the AbsoluteRAT sample obtained appears to be in testing as it is not obfuscated in any way. It attempts to connect to a server running on the same local computer that the RAT is running on, using the localhost IP address 127.0.0.1 on port 1177, rather than an external server. No code appears to have been modified compared to LimeRAT, aside from removing the file download capability. This portion of code was responsible for not only downloading but also executing that file immediately after download.

ANALYST NOTES

Remote Access Trojans pose a significant risk to corporate networks and computers because they allow an attacker complete control of a computer and access to files with the same permissions as the account of the employee who was tricked into running the RAT. Many RATs also include the capability to exceed the employee account’s permissions and become an administrator, which can lead to a more severe impact on a corporate network’s security. It is important to keep anti-virus solutions up-to-date with the latest signatures and to use endpoint detection software to alert when an employee account performs unusual and suspicious behaviors that are more consistent with a threat actor’s actions than those of an employee. Source: https://twitter.com/pmelson/status/1189536289005158401 File hash: a214a30225428679027ddab5e9dce22e4f25b8d2babd3bbfa6a989f944db8182

Contact Support

Please complete the form below and a member of our support team will respond as quickly as possible.