A few days ago, Paul Melson (@pmelson) posted on Twitter about a new Remote Access Trojan (RAT) developed using the .NET framework, called “AbsoluteRAT” that had suddenly appeared. This RAT is supposedly from the same author as Njrat Golden, as seen by the name “Hassan Amiri” which can be found in the strings of both tools. As Paul states in his tweet, this new RAT borrows heavily from an open-source project calling itself “LimeRAT.” According to research by Binary Defense malware analyst Stephan Simon, the AbsoluteRAT sample obtained appears to be in testing as it is not obfuscated in any way. It attempts to connect to a server running on the same local computer that the RAT is running on, using the localhost IP address 127.0.0.1 on port 1177, rather than an external server. No code appears to have been modified compared to LimeRAT, aside from removing the file download capability. This portion of code was responsible for not only downloading but also executing that file immediately after download.
With all the news around COVID-19/Coronavirus, the average person is turning to the internet for