Trojan.SlayerRAT

Trojan.SlayerRAT is a Remote Access Trojan (RAT) that is used to collect data from affected computer users. Trojan.SlayerRAT is being distributed commercially, meaning that practically anyone with the money to buy it or purchase a subscription can acquire Trojan.SlayerRAT and use it to carry out attacks on a target of their choice. The con artists responsible for developing Trojan.SlayerRAT are probably from Tunisia, according to a promotional video that was first seen on YouTube in February of 2016. Trojan.SlayerRAT is not the work of amateurs. Trojan.SlayerRAT has sophisticated properties that make it comparable to some of the most threatening RATs available, including Ratenjay and BlackShades. This is what makes Trojan.SlayerRAT particularly threatening since it puts advanced threat capabilities in the hands of amateurs with enough money to purchase a subscription to this threat.

How Trojan.SlayerRAT Carries out Its Attack

Trojan.SlayerRAT may be distributed using common threat delivery methods, such as infected email attachments or corrupted scripts contained in hijacked websites. However, Trojan.SlayerRAT has a second avenue of distribution, being capable of been distributed via worm-like features, which let Trojan.SlayerRAT to go from one infected computer to another. When Trojan.SlayerRAT first enters a computer it is installed in one of the following directories:

%AppData%
%ProgramData%
%TEMP%
%UserProfile%

There are some curious features of the Trojan.SlayerRAT attack that PC security researchers have noticed. Trojan.SlayerRAT is capable of carrying out its operations with limited user privileges and prevent victims from accessing the infected computer's desktop by enforcing a password. This turns Trojan.SlayerRAT into a combination of threat infection and a locker essentially. After Trojan.SlayerRAT enters the victim's computer, it makes sure that it can start up when the affected computer boots. Trojan.SlayerRAT will load even if the victim logs into Windows, running and asking for a password. Trojan.SlayerRAT can evade detection on the victim's computer, and even run commands using the Task Scheduler and Task Manager, which can allow Trojan.SlayerRAT to disable known security programs. Trojan.SlayerRAT is capable of altering the infected computer's network settings, establishing a proxy setup and redirecting the victim to certain websites. Trojan.SlayerRAT can change the Windows Registry and block the victim from accessing important Windows features such as the following:

• Account Administration
• CMD
• Control Panel
• Firewall
• Task Manager
• UAC (User Account Control)
• Windows update
• msconfig

Trojan.SlayerRAT Includes Certain Worm-Like Characteristics in Its Attack

Trojan.SlayerRAT has the ability to spread to other computers. This is a feature that is seen in worms (such as Dunihi) rather than in Trojans. Trojan.SlayerRAT also can copy itself to USB drives and other removable memory devices. Trojan.SlayerRAT will make it seem as if its executable file is a harmless file, often masking it as a DOCX, PDF, PPTX or SLSX file. Once Trojan.SlayerRAT has been installed on the victim's computer, the con artists behind the Trojan.SlayerRAT can access the infected computer using a server client that is hosted on the victim's computer. Trojan.SlayerRAT can relay information about the infected computer that can include the victim's IP address, the operating system version, devices connected to the infected computer and a list of running programs. Con artists can use Trojan.SlayerRAT to send threatening audio and text messages to the victim taking advantage of the Windows Messaging service. Trojan.SlayerRAT is particularly difficult to remove effectively. Numerous computer users have reported that the Trojan.SlayerRAT infection will remain on their computers even after steps have been taken to remove it completely.