Cotx RAT

Recently, malware researchers spotted several campaigns targeting government institutions located in the East Asian region. It is likely that the Chinese hacking group called TA428 is responsible for these attacks.

Propagation Method

The infection vector appears to be spear-phishing emails. The targeted government workers would receive an email with a ‘.doc’ or ‘.rtf’ attachment, which they are urged to open. If the user falls for this trick and attempts to open the attached file, the attackers will use a known vulnerability in the Microsoft Equation Editor to plant a threat on the user’s computer.

A Specially Crafted RAT

In some of the launched campaigns, the threat that was planted on the victim’s system was the Poison Ivy RAT (Remote Access Trojan). However, the attackers have, apparently, decided to diversify their attacks and develop a brand-new RAT that was specifically crafted for this operation – the Cotx RAT.

Gaining Persistence

Once the Cotx RAT infiltrates a system, it will tamper with the Windows Registry to gain persistence, ensuring that the threat will be run every time that the computer is rebooted. Once this step is completed, the Cotx RAT will contact the C&C (Command & Control) server of its operators. This is where the Cotx RAT receives commands from and where it siphons all the collected data.

Capabilities

The Cotx RAT has an impressive list of capabilities. Among them are:

• Launching files.
• Taking screenshots.
• Viewing directories.
• Viewing files.
• Viewing installed applications.
• Viewing running processes.
• Terminating processes.
• Reading, writing, copying and deleting files.
• Halting the connecting with the C&C server.
• Removing itself from the host.

Despite the attackers only targeting government employees in East Asia, for now, it is likely that they may decide to expand their reach and begin targeting regular users. It is important that you download and install a reputable anti-malware tool, which will keep your system secure from pests like the Cotx RAT.