First observed on November 15th, SectopRAT is a remote access malware product that brings up a second screen, not visible to the user, that can be used to surf the Internet by the attacker. SectopRAT’s code is .NET based and two samples, compiled on November 13th and 14th were found by G Data. To help avoid suspicion, the first sample was digitally signed by a Sectigo RSA Code Signing CA and had an Adobe Flash icon. The second sample used an icon that looks like a red floppy disk and was not digitally signed. To prevent tools like dnSpy from decompiling its code, ConfuserEx was used to obfuscate the control flow to the .NET assembly. Once a system has been infected, persistence is gained through the use of the RUN key in the registry. Although the code for SectopRAT looks to be hastily drawn together, some factions of the malware indicate that the author may have a level of system internals knowledge above that of a “greenhorn”. G Data speculates these versions of the code are merely test versions and that improved versions may be on the horizon.
The threat actor can surf the Internet using the infected machine.