Security researchers from Cisco have discovered a new version of remote access trojan (RAT) dubbed “CRAT” that targets endpoints.
Cisco’s Talos Intelligence Group confirmed the new version of CRAT that can download and deploy additional malicious plugins, such as “Hansom” ransomware, on vulnerable systems. Other capabilities include screen-capture, clipboard monitoring and keylogger components.
“The RAT consists of multiple obfuscation techniques to hide strings, API names, command and control (C2) URLs and instrumental functions, along with static detection evasion,” Talos group stated in a blog post.
“The attack also employs a multitude of anti-infection checks to evade sandbox based detection systems.”
Talos also said CRAT is linked to Lazarus advanced persistent threat (APT) Group, threat actors behind multiple cyber attacks such as those targeting entertainment companies.
Attack vectors
In one case, Talos said one of the CRAT distribution vectors is via malicious Hangul Word Processor (HWP) documents, widely used in South Korea.
Malicious HWPs could be embedded in phishing emails and used to target exploits of an Artifex Ghostscript vulnerability CVE-2017-8291 and activate malicious shellcode.
Talos further explained that the shellcode could then download and execute CRATv1 on the infected endpoint. The cyber experts also mentioned the same vector was highly likely used by attackers to distribute CRATv2 as well.
CRAT capabilities
Talos said CRAT collects the following information on target systems, such as:
- Installed AntiVirus software names
- Installed FirewallProduct names
- Domain Names (e.g., Netbios, DNS, Domain forest name)
- File version number from DLLs embedded version information
- System folder path
- Flag if the current user has administrative privileges.
In addition, CRAT can enumerate drives, gather file size information, read/write files and exfiltrate to command and control (C2) systems. To add, the trojan can also execute commands, reverse shell and steal browser passwords, just to name a few.
Readers can check out the full Talos report for more details on CRAT to include communication mechanisms, CRATv2 plugins, history and indicators of compromise (IOC) as well.