Sectoprat is a new.NET Remote Access Trojan (RAT) discovered on November 15th by the MalwareHunterTeam. While fairly lightweight at 243KB, this RAT is particularly nasty in its browser hijacking capabilities and persistence mechanisms. While obviously still under development, this malware can either stream the current desktop to give a live view of the infected victim’s screen, or it can create a new desktop which is invisible to the infected victim. The threat actor can then initialize a web browser that they can view and modify at their whim, but which is invisible to the legitimate user of the infected computer. For persistence, the malware saves itself to %LOCALAPPDATA%/Microsoft/spoolsvc.exe, and then installs a run key to run at startup, using this registry key: HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionRunSFddg
Analyst Notes
While it is important to keep anti-virus signatures up-to-date, whenever new malware appears, it may go undetected for some time before new signatures are released by all of the anti-virus product vendors. For best protection of business computers, it is critically important to practice defense-in-depth, including a monitoring strategy using Endpoint Detection and Response (EDR) products, supported by analysts who are able to examine suspicious new programs and determine whether they are malicious or not.
To read more: https://www.gdatasoftware.com/blog/2019/11/35548-new-sectoprat-remote-access-malware-utilizes-second-desktop-to-control-browsers
