A malicious executable, researchers identified a new German RAT, “Pekraut.” The first sample was packed using ConfuserEx and, like a secondary unpacked sample they discovered, used Dotfuscator for obfuscation. The RAT is installed under a system process named, “svchost.exe “, and persistence is established using both the Winlogon Shell Registry key and a shortcut file in the startup folder masquerading as an Internet Explorer Update. The process to uninstall will clean up these artifacts by restoring the default Registry value and deleting the shortcut. Furthermore, the exact installation behavior, such as the filenames and installation path, can be adjusted using different flags. Once installed, the malware performs a UAC bypass using the ComputerDefaults.exe method. Communication with its C2 server is performed via a socket connection and leverages a port-forwarding service to hide the attacker’s IP address. Text data is encrypted using AES encryption while other data types are compressed using zlib.
Pekraut is feature-rich and allows for 27 different commands to be accepted from the C2 server, including a help command that provides a description for the commands in German. Commands include those for file, process, and registry operations, gathering system information, performing reconnaissance, and more.