A few days ago, Paul Melson (@pmelson) posted on Twitter about a new Remote Access Trojan (RAT) developed using the .NET framework, called “AbsoluteRAT” that had suddenly appeared. This RAT is supposedly from the same author as Njrat Golden, as seen by the name “Hassan Amiri” which can be found in the strings of both tools. As Paul states in his tweet, this new RAT borrows heavily from an open-source project calling itself “LimeRAT.” According to research by Binary Defense malware analyst Stephan Simon, the AbsoluteRAT sample obtained appears to be in testing as it is not obfuscated in any way. It attempts to connect to a server running on the same local computer that the RAT is running on, using the localhost IP address 127.0.0.1 on port 1177, rather than an external server. No code appears to have been modified compared to LimeRAT, aside from removing the file download capability. This portion of code was responsible for not only downloading but also executing that file immediately after download.
Analyst Notes
Remote Access Trojans pose a significant risk to corporate networks and computers because they allow an attacker complete control of a computer and access to files with the same permissions as the account of the employee who was tricked into running the RAT. Many RATs also include the capability to exceed the employee account’s permissions and become an administrator, which can lead to a more severe impact on a corporate network’s security. It is important to keep anti-virus solutions up-to-date with the latest signatures and to use endpoint detection software to alert when an employee account performs unusual and suspicious behaviors that are more consistent with a threat actor’s actions than those of an employee.
Source: https://twitter.com/pmelson/status/1189536289005158401
File hash: a214a30225428679027ddab5e9dce22e4f25b8d2babd3bbfa6a989f944db8182
