Breach RAT Description
The Breach malware is a program associated with a Pakistan-based cybercrime group. The Breach program is classified as a Remote Access Trojan (RAT) based on its behavior on infected devices. The Breach RAT is a generic Trojan that is planted in targeted systems via a vulnerability exploit. The threat actors linked to Breach RAT exploit the CVE-2012-0158 vulnerability, which is present in several software solutions, namely — Microsoft SQL Server, Microsoft Office, Microsoft Visual Foxpro, Microsoft Commerce Server, Microsoft Biztalk Server, and Microsoft Visual Basic.
A successful attack via CVE-2012-0158 allows a threat actor to run an arbitrary PowerShell code and drop a desired payload on the targeted device. The hackers behind the Breach RAT are using spear phishing and social engineering to lure Indian government officials into opening a harmful document on their work PCs. The weaponized documents usually refer to fake updates on important government policies and stealthily load a PowerShell script that downloads an encrypted packet from a remote server. The harmful code is executed in the system memory without writing a file on the local drives immediately. Once the encrypted packet is decoded, a file is written to C:\Users\username\AppData\Local\Temp\svchost.exe. The legitimate version of svchost.exe is a Generic Host Process for Win32 Services on Windows that manages shared DLLs. As you may guess, the Breach RAT is made to mimic legitimate file names as a masking technique. After Breach RAT is loaded, it copies itself to a hidden directory C:\PorgramData\svchost.exe, which Windows uses to store program files.
The Breach RAT allows threat actors to log keyboard strokes, terminate/launch programs at will, upload data to a remote server, read the saved passwords in your Web browser and delete data on the local memory storage. Also, Breach RAT is reported of copying itself to USB drives as a way to move to other machines that lack Internet access. The Breach RAT may be used to collect government secrets and move on a computer network vertically and horizontally if it is operated skillfully. Preventive measures are your best tactics against threats like Breach RAT. Ignore suspicious emails from unverified senders, don't follow URLs in spam emails, keep your office suit up-to-date and run security scans weekly.