A new Trojan, SectopRAT, has appeared in the wild which is able to launch a hidden secondary desktop to control browser sessions on infected machines.
The new malware was first spotted by MalwareHunterTeam. In a tweet on 15 November, MalwareHunterTeam said the C# malware, compiled on 13 November, was able to "create [a] hidden desktop and run [a] selected browser there with full control."
This caught the attention of cybersecurity researchers from G Data, who were able to obtain a second sample, compiled on 14 November, later submitted to Virustotal.
The first SectopRAT sample is signed by Sectigo RSA Code Signing CA and uses a Flash icon, whereas the second is not signed. Both samples of the Remote Access Trojan (RAT) use arbitrary characters in their names, have write/execute characteristics, and make use of ConfuserEx for obfuscation.
According to the researchers, the malware contains a RemoteClient.Config class with four valuables for configuration -- IP, retip, filename, and mutexName.
The IP variable relates to the Trojan's command-and-control (C2) server, whereas the retip variable has been designed to set up new C2 IPs that the server can override using the "set IP" command.
Filename and mutexName, however, are set but not in active use.
The hardcoded filename spoolsvc.exe is added to the registry for persistence, a mimicry of the legitimate Microsoft service spoolsv.exe.
Once connected with its C2, the Trojan can be commanded to either stream an active desktop session or create a secondary one, hardcoded as "sdfsddfg," which is hidden from view. The researchers say that operators of the malware are able to use the "Init browser" command to initiate a browser session through the secondary desktop.
Chrome, Firefox or Internet Explorer browser sessions can be launched. The malware is also able to change browser configurations to disable security barriers and sandboxes. However, the browser paths are hardcoded and do not use environmental variables.
The malware is also able to send computer information back to the C2, such as the name of the operating system, processor data, core information and RAM available.
Another command, "Get codec info" is yet to be implemented. The team believes that the Trojan is not yet complete, as SectopRAT "looks unfinished and in parts hastily done."
"Despite obvious flaws like using hardcoded paths without environmental variables to access system files, the RAT's architecture, the use of a second desktop and changes in browser configuration files and parameters show some internal knowledge that is far from a greenhorn," the researchers say. "It is quite possible that the first samples in the wild are merely for testing."
Indicators of Compromise (IoCs) can be accessed here.
Previous and related coverage
- When one isn't enough: This shady malware will infect your PC with dual Trojans
- This old trojan malware is back with a new trick to help it hide in plain sight
- Magecart group linked to Dridex banking Trojan, Carbanak
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0