Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

ABTV

8/13/2019
10:15 AM
Larry Loeb
Larry Loeb
Larry Loeb
50%
50%

This RAT Doesn't Squeak Much

Saefko does stuff. Lots of stuff.

The Zscaler ThreatLabZ team came acrossa new remote-access trojan (RAT) for sale on the dark web. The RAT, called Saefko, is written in .NET and has multiple functionalities.

A RAT is a type of malware that includes a backdoor for remote administrative control of the target, and this one is no exception. The RAT can monitor target behavior through the logging of user keystrokes, accessing confidential information, activating the system's webcam, taking screenshots, formatting drives and the like.

The Saefko RAT will stay in the background and executes every time the user logs in. It does this by creating a startup key to execute the malware at login. Other observed behavior includes fetching the chrome browser history looking for specific types of activities like credit cards, business, social media, gaming, cryptocurrency and shopping.

It phones home to a command-and-control (C&C) server, and sends it what it has found. The C&C can tell the malware to download an additional payload as well.

It will check to see whether the Internet connection is active. It will then use the Chrome browser history to search for particular websites that have been visited by the user and makes a count of those that have been visited. This gives the attacker information to decide which systems it should target first from all systems it has infected.

Zscaler's blog contains a list of the exact websites that it will be searching for, but is too lengthy for this article.

After that, Saefko begins the "StartServices" function, which has four different infection modules to it. They are HTTPClinet (that's how it spells Client), IRCHelper, KEYLogger, and StartLocalServices (USB spreading).

Don't forget those video sources. Saefko will search for AForge.dll, AForge.Video.DirectShow.dll, AForge.Video.dll and Sqlite3.dll in the system. it searches for a list of video input devices on the targeted system and sends all the related information to the C&C. Oh yes, it will send a snapshot from the device it has determined is present on the system. The video frame is encodes with Base64 and sent to the C&C for any further nefarious utilization.

Boy howdy, this one does stuff.

Zscaler does have some advice, though. "At the administrative level," they post in the blog, "it's always a good idea to block unused ports, turn off unused services, and monitor outgoing traffic. Attackers are often careful to prevent the malware from doing too much activity at once, which would slow down the system and possibly attract the attention of the user and IT."

That happens to be a very good point. You can't fix RAT unless you know you have it.

— Larry Loeb has written for many of the last century's major "dead tree" computer magazines, having been, among other things, a consulting editor for BYTE magazine and senior editor for the launch of WebWeek.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How Enterprises Are Assessing Cybersecurity Risk in Today's Environment
The adoption of cloud services spurred by the COVID-19 pandemic has resulted in pressure on cyber-risk professionals to focus on vulnerabilities and new exposures that stem from pandemic-driven changes. Many cybersecurity pros expect fundamental, long-term changes to their organization's computing and data security due to the shift to more remote work and accelerated cloud adoption. Download this report from Dark Reading to learn more about their challenges and concerns.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2022-21933
PUBLISHED: 2022-01-21
ASUS VivoMini/Mini PC device has an improper input validation vulnerability. A local attacker with system privilege can use system management interrupt (SMI) to modify memory, resulting in arbitrary code execution for controlling the system or disrupting service.
CVE-2022-0326
PUBLISHED: 2022-01-21
NULL Pointer Dereference in Homebrew mruby prior to 3.2.
CVE-2022-22930
PUBLISHED: 2022-01-21
A remote code execution (RCE) vulnerability in the Template Management function of MCMS v5.2.4 allows attackers to execute arbitrary code via a crafted payload.
CVE-2022-23314
PUBLISHED: 2022-01-21
MCMS v5.2.4 was discovered to contain a SQL injection vulnerability via /ms/mdiy/model/importJson.do.
CVE-2022-23315
PUBLISHED: 2022-01-21
MCMS v5.2.4 was discovered to contain an arbitrary file upload vulnerability via the component /ms/template/writeFileContent.do.