Bozok RAT

The Bozok RAT is a cyber-threat wielded by a dominant APT (Advanced Persistent Threat) group called 'admin@338.' The Bozok RAT software falls in the category of Remote Access Trojans (RATs), which are designed to enable full control over the infected machines. The Bozok utility is a custom-made RAT that was identified in late-2013 with regular updates going into the late-2016. The Bozok RAT is used for cyber-espionage associated with international trade deals, financial negotiations on the geopolitical level, economic strategies, and major changes on the world stock market.

The Bozok RAT is introduced to the targeted systems via the tried-and-true spear phishing tactic. The malware operators are known for crafting harmful Microsoft Word, PDFs, and Microsoft Excel documents that include an embedded payload. The corrupted text files are sent to figures on top positions in targeted organizations. The phishing emails usually purport to include sensitive information and contact lists that should be updated immediately. The threat actors leverage the CVE-2012-0158 vulnerability that affects Microsoft Office, Microsoft SQL Server, and Microsoft Visual Foxpro to drop malware to Windows-powered machines. Opening the fake documents triggers the download of a harmful executable that is saved to C:\Windows\wmiserver.exe\. The Bozok RAT may be loaded in the Task Manager as 'wmiserver.exe,' but it is a fake instance. The legitimate version of 'wmiserver.exe' is located under C:\Program Files (x86)\The Open Group\WMI Mapper\bin\ and it is utilized by the HPE Systems Insight Manager developed by Hewlett Packard for Windows. It is possible that the threat actors may use a misappropriated digital certificate to sign the Bozok RAT files and make them harder to detect.

The Bozok RAT is known to feature an easy-to-use graphical interface that is accessible from a command machine and a Web service. The Bozok RAT control panel allows access to the file explorer, Registry editor, and the Task Manager on infected computers. Also, Bozok RAT enables threat actors to load a desktop viewer and look at what the user is doing. Compromised users are tracked by other tools as well. The Bozok RAT includes a keylogger that saves the keyboard input to a text file; there is a password grabber application that extracts saved login credentials in your Web browser, and there is an instrument that can stream the feed from your Web camera to an IP address. The hackers behind the Bozok RAT monitor the infected devices via a single hub, which displays useful information like OS version, IP address, country of origin, installed Web camera and the currently active window.

Regular PC users are not likely to encounter the Bozok RAT on their machines, but strict safety policies should be followed nevertheless. Make sure to update the firmware on your router, keep your applications up-to-date, and do a security sweep at least every two weeks. Don't forget to make data backups as often as you can and avoid questionable emails from unknown senders. Detection names for the Bozok RAT are listed below:

Trojan ( 7000000f1 )
Trojan.Agent.BHRD (B)
Win32:NewPos-B [Trj]


Most Viewed