Bozok RAT Description
The Bozok RAT is a cyber-threat wielded by a dominant APT (Advanced Persistent Threat) group called 'admin@338.' The Bozok RAT software falls in the category of Remote Access Trojans (RATs), which are designed to enable full control over the infected machines. The Bozok utility is a custom-made RAT that was identified in late-2013 with regular updates going into the late-2016. The Bozok RAT is used for cyber-espionage associated with international trade deals, financial negotiations on the geopolitical level, economic strategies, and major changes on the world stock market.
The Bozok RAT is introduced to the targeted systems via the tried-and-true spear phishing tactic. The malware operators are known for crafting harmful Microsoft Word, PDFs, and Microsoft Excel documents that include an embedded payload. The corrupted text files are sent to figures on top positions in targeted organizations. The phishing emails usually purport to include sensitive information and contact lists that should be updated immediately. The threat actors leverage the CVE-2012-0158 vulnerability that affects Microsoft Office, Microsoft SQL Server, and Microsoft Visual Foxpro to drop malware to Windows-powered machines. Opening the fake documents triggers the download of a harmful executable that is saved to C:\Windows\wmiserver.exe\. The Bozok RAT may be loaded in the Task Manager as 'wmiserver.exe,' but it is a fake instance. The legitimate version of 'wmiserver.exe' is located under C:\Program Files (x86)\The Open Group\WMI Mapper\bin\ and it is utilized by the HPE Systems Insight Manager developed by Hewlett Packard for Windows. It is possible that the threat actors may use a misappropriated digital certificate to sign the Bozok RAT files and make them harder to detect.
The Bozok RAT is known to feature an easy-to-use graphical interface that is accessible from a command machine and a Web service. The Bozok RAT control panel allows access to the file explorer, Registry editor, and the Task Manager on infected computers. Also, Bozok RAT enables threat actors to load a desktop viewer and look at what the user is doing. Compromised users are tracked by other tools as well. The Bozok RAT includes a keylogger that saves the keyboard input to a text file; there is a password grabber application that extracts saved login credentials in your Web browser, and there is an instrument that can stream the feed from your Web camera to an IP address. The hackers behind the Bozok RAT monitor the infected devices via a single hub, which displays useful information like OS version, IP address, country of origin, installed Web camera and the currently active window.
Regular PC users are not likely to encounter the Bozok RAT on their machines, but strict safety policies should be followed nevertheless. Make sure to update the firmware on your router, keep your applications up-to-date, and do a security sweep at least every two weeks. Don't forget to make data backups as often as you can and avoid questionable emails from unknown senders. Detection names for the Bozok RAT are listed below:
Trojan ( 7000000f1 )
Do You Suspect Your PC May Be Infected with Bozok RAT & Other Threats? Scan Your PC with SpyHunterSpyHunter is a powerful malware remediation and protection tool designed to help provide PC users with in-depth system security analysis, detection and removal of a wide range of threats like Bozok RAT as well as a one-on-one tech support service. Download SpyHunter's FREE Malware Remover
Security Doesn't Let You Download SpyHunter or Access the Internet?Solutions: Your computer may have malware hiding in memory that prevents any program, including SpyHunter, from executing on your computer. Follow to download SpyHunter and gain access to the Internet:
- Use an alternative browser. Malware may disable your browser. If you're using IE, for example, and having problems downloading SpyHunter, you should open Firefox, Chrome or Safari browser instead.
- Use a removable media. Download SpyHunter on another clean computer, burn it to a USB flash drive, DVD/CD, or any preferred removable media, then install it on your infected computer and run SpyHunter's malware scanner.
- Start Windows in Safe Mode. If you can not access your Window's desktop, reboot your computer in "Safe Mode with Networking" and install SpyHunter in Safe Mode.
- IE Users: Disable proxy server for Internet Explorer to browse the web with Internet Explorer or update your anti-spyware program. Malware modifies your Windows settings to use a proxy server to prevent you from browsing the web with IE.