Bozok RAT

Bozok RAT Description

The Bozok RAT is a cyber-threat wielded by a dominant APT (Advanced Persistent Threat) group called 'admin@338.' The Bozok RAT software falls in the category of Remote Access Trojans (RATs), which are designed to enable full control over the infected machines. The Bozok utility is a custom-made RAT that was identified in late-2013 with regular updates going into the late-2016. The Bozok RAT is used for cyber-espionage associated with international trade deals, financial negotiations on the geopolitical level, economic strategies, and major changes on the world stock market.

The Bozok RAT is introduced to the targeted systems via the tried-and-true spear phishing tactic. The malware operators are known for crafting harmful Microsoft Word, PDFs, and Microsoft Excel documents that include an embedded payload. The corrupted text files are sent to figures on top positions in targeted organizations. The phishing emails usually purport to include sensitive information and contact lists that should be updated immediately. The threat actors leverage the CVE-2012-0158 vulnerability that affects Microsoft Office, Microsoft SQL Server, and Microsoft Visual Foxpro to drop malware to Windows-powered machines. Opening the fake documents triggers the download of a harmful executable that is saved to C:\Windows\wmiserver.exe\. The Bozok RAT may be loaded in the Task Manager as 'wmiserver.exe,' but it is a fake instance. The legitimate version of 'wmiserver.exe' is located under C:\Program Files (x86)\The Open Group\WMI Mapper\bin\ and it is utilized by the HPE Systems Insight Manager developed by Hewlett Packard for Windows. It is possible that the threat actors may use a misappropriated digital certificate to sign the Bozok RAT files and make them harder to detect.

The Bozok RAT is known to feature an easy-to-use graphical interface that is accessible from a command machine and a Web service. The Bozok RAT control panel allows access to the file explorer, Registry editor, and the Task Manager on infected computers. Also, Bozok RAT enables threat actors to load a desktop viewer and look at what the user is doing. Compromised users are tracked by other tools as well. The Bozok RAT includes a keylogger that saves the keyboard input to a text file; there is a password grabber application that extracts saved login credentials in your Web browser, and there is an instrument that can stream the feed from your Web camera to an IP address. The hackers behind the Bozok RAT monitor the infected devices via a single hub, which displays useful information like OS version, IP address, country of origin, installed Web camera and the currently active window.

Regular PC users are not likely to encounter the Bozok RAT on their machines, but strict safety policies should be followed nevertheless. Make sure to update the firmware on your router, keep your applications up-to-date, and do a security sweep at least every two weeks. Don't forget to make data backups as often as you can and avoid questionable emails from unknown senders. Detection names for the Bozok RAT are listed below:

BackDoor-FBJL!C5D8B7C8E2F5
PE:Backdoor.Bezigate!6.993[F1]
RAT.Bozok
TROJ_BEZIGATE.GT
TROJ_SPNR.35CD13
Trojan ( 7000000f1 )
Trojan.Agent.BHRD
Trojan.Agent.BHRD (B)
Trojan.Boht.Win32.584
Trojan.Siscos!zxesqQm4ofc
Trojan[:HEUR]/Win32.Unknown
W32/Backdoor.YPOC-1563
W32/Backdoor2.HTEX
W32/Trojan.RSOY-0282
Win32:NewPos-B [Trj]

Do You Suspect Your PC May Be Infected with Bozok RAT & Other Threats? Scan Your PC with SpyHunter

SpyHunter is a powerful malware remediation and protection tool designed to help provide PC users with in-depth system security analysis, detection and removal of a wide range of threats like Bozok RAT as well as a one-on-one tech support service. Download SpyHunter's FREE Malware Remover
Note: SpyHunter's scanner is only for malware detection. If SpyHunter detects malware on your PC, you will need to purchase SpyHunter's malware removal tool to remove the malware threats. Read more on SpyHunter. Free Remover allows you to run a one-off scan and receive, subject to a 48-hour waiting period, one remediation and removal. Free Remover subject to promotional details and Special Promotion Terms. To understand our policies, please also review our EULA, Privacy Policy and Threat Assessment Criteria. If you no longer wish to have SpyHunter installed on your computer, follow these steps to uninstall SpyHunter.

Security Doesn't Let You Download SpyHunter or Access the Internet?

Solutions: Your computer may have malware hiding in memory that prevents any program, including SpyHunter, from executing on your computer. Follow to download SpyHunter and gain access to the Internet:
  • Use an alternative browser. Malware may disable your browser. If you're using IE, for example, and having problems downloading SpyHunter, you should open Firefox, Chrome or Safari browser instead.
  • Use a removable media. Download SpyHunter on another clean computer, burn it to a USB flash drive, DVD/CD, or any preferred removable media, then install it on your infected computer and run SpyHunter's malware scanner.
  • Start Windows in Safe Mode. If you can not access your Window's desktop, reboot your computer in "Safe Mode with Networking" and install SpyHunter in Safe Mode.
  • IE Users: Disable proxy server for Internet Explorer to browse the web with Internet Explorer or update your anti-spyware program. Malware modifies your Windows settings to use a proxy server to prevent you from browsing the web with IE.
If you still can't install SpyHunter? View other possible causes of installation issues.

Leave a Reply

Please DO NOT use this comment system for support or billing questions. For SpyHunter technical support requests, please contact our technical support team directly by opening a customer support ticket via your SpyHunter. For billing issues, please refer to our "Billing Questions or Problems?" page. For general inquiries (complaints, legal, press, marketing, copyright), visit our "Inquiries and Feedback" page.