Rewterz Threat Alert – Second Desktop Used By SectopRAT

Severity

Medium

Analysis Summary

First observed on November 15th, SectopRAT is a remote access malware product that brings up a second screen, not visible to the user, that can be used to surf the Internet by the attacker. SectopRAT’s code is .NET based and two samples, compiled on November 13th and 14th were found by G Data. To help avoid suspicion, the first sample was digitally signed by a Sectigo RSA Code Signing CA and had an Adobe Flash icon. The second sample used an icon that looks like a red floppy disk and was not digitally signed. To prevent tools like dnSpy from decompiling its code, ConfuserEx was used to obfuscate the control flow to the .NET assembly. Once a system has been infected, persistence is gained through the use of the RUN key in the registry. Although the code for SectopRAT looks to be hastily drawn together, some factions of the malware indicate that the author may have a level of system internals knowledge above that of a “greenhorn”. G Data speculates these versions of the code are merely test versions and that improved versions may be on the horizon.

Impact

The threat actor can surf the Internet using the infected machine.

Indicators of Compromise

SHA-256

• b1e3b5de12f785c45d5ea3fc64412ce640a42652b4749cf73911029041468e3a
• 4409d2170aa9989c6a8dd32b617c51a7c3e328b3c86410813c016691b2bd7774
• d5a3d47e1945e9d83a74a96f02a0751abd00078ee62e6d3a546a050e0db10d93

Remediation

• Block all threat indicators at your respective controls.
• Always be suspicious about emails sent by unknown senders.
• Never click on the links/attachments sent by unknown senders.