This RAT Doesn't Squeak Much

Saefko does stuff. Lots of stuff.

Larry Loeb, Blogger, Informationweek

August 13, 2019

2 Min Read

The Zscaler ThreatLabZ team came acrossa new remote-access trojan (RAT) for sale on the dark web. The RAT, called Saefko, is written in .NET and has multiple functionalities.

A RAT is a type of malware that includes a backdoor for remote administrative control of the target, and this one is no exception. The RAT can monitor target behavior through the logging of user keystrokes, accessing confidential information, activating the system's webcam, taking screenshots, formatting drives and the like.

The Saefko RAT will stay in the background and executes every time the user logs in. It does this by creating a startup key to execute the malware at login. Other observed behavior includes fetching the chrome browser history looking for specific types of activities like credit cards, business, social media, gaming, cryptocurrency and shopping.

It phones home to a command-and-control (C&C) server, and sends it what it has found. The C&C can tell the malware to download an additional payload as well.

It will check to see whether the Internet connection is active. It will then use the Chrome browser history to search for particular websites that have been visited by the user and makes a count of those that have been visited. This gives the attacker information to decide which systems it should target first from all systems it has infected.

Zscaler's blog contains a list of the exact websites that it will be searching for, but is too lengthy for this article.

After that, Saefko begins the "StartServices" function, which has four different infection modules to it. They are HTTPClinet (that's how it spells Client), IRCHelper, KEYLogger, and StartLocalServices (USB spreading).

Don't forget those video sources. Saefko will search for AForge.dll, AForge.Video.DirectShow.dll, AForge.Video.dll and Sqlite3.dll in the system. it searches for a list of video input devices on the targeted system and sends all the related information to the C&C. Oh yes, it will send a snapshot from the device it has determined is present on the system. The video frame is encodes with Base64 and sent to the C&C for any further nefarious utilization.

Boy howdy, this one does stuff.

Zscaler does have some advice, though. "At the administrative level," they post in the blog, "it's always a good idea to block unused ports, turn off unused services, and monitor outgoing traffic. Attackers are often careful to prevent the malware from doing too much activity at once, which would slow down the system and possibly attract the attention of the user and IT."

That happens to be a very good point. You can't fix RAT unless you know you have it.

— Larry Loeb has written for many of the last century's major "dead tree" computer magazines, having been, among other things, a consulting editor for BYTE magazine and senior editor for the launch of WebWeek.

Read more about:

Security Now

About the Author

Larry Loeb

Blogger, Informationweek

Larry Loeb has written for many of the last century's major "dead tree" computer magazines, having been, among other things, a consulting editor for BYTE magazine and senior editor for the launch of WebWeek. He has written a book on the Secure Electronic Transaction Internet protocol. His latest book has the commercially obligatory title of Hack Proofing XML. He's been online since uucp "bang" addressing (where the world existed relative to !decvax), serving as editor of the Macintosh Exchange on BIX and the VARBusiness Exchange. His first Mac had 128 KB of memory, which was a big step up from his first 1130, which had 4 KB, as did his first 1401. You can e-mail him at [email protected].

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights