A new version of a remote access trojan (RAT) family known as CRAT is detected. Apart from the prebuilt RAT capabilities, the malware can download and deploy additional malicious plugins on the infected endpoint. One of the plugins is a ransomware known as “Hansom.” CRAT has been attributed to the Lazarus APT Group in the past. The RAT consists of multiple obfuscation techniques to hide strings, API names, command and control (C2) URLs and instrumental functions, along with static detection evasion. The attack also employs a multitude of anti-infection checks to evade sandbox based detection systems. The distribution vector of the new version of CRAT (v2) is currently unknown. However, it is highly likely the attackers may have re-used a maldoc-based infection vector to spread CRATv2 as well.
The attackers have also used file names and export API names in the CRAT DLLs to masquerade the RAT as a benign application’s library. The implant performs checks to verify its execution on an allowed endpoint. The implant uses a variety of criteria to identify a blocklisted system. Both versions of CRAT use HTTP to communicate with the C2 servers. The data sent to the C2 is in the form of URL-encoded form data. The C2 server will respond with a JSON containing command codes and supporting data to be recognized by the implant to execute a corresponding RAT capability. The CRAT malware consists of multiple RAT capabilities that allow it to be highly versatile and dangerous. CRAT executes these capabilities by receiving command codes and corresponding data from the C2 in the form of JSONs communicated over HTTP. The RAT also shows capability of stealing browser passwords. Other discovered capabilities include:
The ransomware plugin encrypts specific file extensions on the infected endpoint.