New SectopRAT Trojan creates hidden second desktop to control browser sessions

The Trojan makes sure the second desktop is hidden from sight.
Written by Charlie Osborne, Contributing Writer

A new Trojan, SectopRAT, has appeared in the wild which is able to launch a hidden secondary desktop to control browser sessions on infected machines. 

The new malware was first spotted by MalwareHunterTeam. In a tweet on 15 November, MalwareHunterTeam said the C# malware, compiled on 13 November, was able to "create [a] hidden desktop and run [a] selected browser there with full control."

This caught the attention of cybersecurity researchers from G Data, who were able to obtain a second sample, compiled on 14 November, later submitted to Virustotal.


The first SectopRAT sample is signed by Sectigo RSA Code Signing CA and uses a Flash icon, whereas the second is not signed. Both samples of the Remote Access Trojan (RAT) use arbitrary characters in their names, have write/execute characteristics, and make use of ConfuserEx for obfuscation. 

According to the researchers, the malware contains a RemoteClient.Config class with four valuables for configuration -- IP, retip, filename, and mutexName. 

The IP variable relates to the Trojan's command-and-control (C2) server, whereas the retip variable has been designed to set up new C2 IPs that the server can override using the "set IP" command. 

See also: Asruex Trojan exploits old Office, Adobe bugs to backdoor your system

Filename and mutexName, however, are set but not in active use. 

The hardcoded filename spoolsvc.exe is added to the registry for persistence, a mimicry of the legitimate Microsoft service spoolsv.exe.

Once connected with its C2, the Trojan can be commanded to either stream an active desktop session or create a secondary one, hardcoded as "sdfsddfg," which is hidden from view. The researchers say that operators of the malware are able to use the "Init browser" command to initiate a browser session through the secondary desktop. 

CNET: Facebook, Google 'surveillance' threatens human rights, Amnesty International says

Chrome, Firefox or Internet Explorer browser sessions can be launched. The malware is also able to change browser configurations to disable security barriers and sandboxes. However, the browser paths are hardcoded and do not use environmental variables. 

The malware is also able to send computer information back to the C2, such as the name of the operating system, processor data, core information and RAM available. 

TechRepublic: How can you protect yourself from hackers? An IBM social engineer offers advice

Another command, "Get codec info" is yet to be implemented. The team believes that the Trojan is not yet complete, as SectopRAT "looks unfinished and in parts hastily done."

"Despite obvious flaws like using hardcoded paths without environmental variables to access system files, the RAT's architecture, the use of a second desktop and changes in browser configuration files and parameters show some internal knowledge that is far from a greenhorn," the researchers say. "It is quite possible that the first samples in the wild are merely for testing."

Indicators of Compromise (IoCs) can be accessed here

How to discover and destroy spyware on your smartphone (in pictures)

Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Editorial standards