RAT (Remote Access Trojan) threats are designed to provide cybercriminals with unauthorized remote access to the breached systems. Typically, these threats can carry a diver set of intrusive features and could be deployed as part of different attack operations. The Deed RAT is not an exception and it could be instructed to perform numerous actions, based on the specific goals of the attackers. It must be noted that the Deed RAT is not a new threat. In fact, it has been around for quite a while. However, recently, infosec researchers noticed an uptick in the Deed RAT activity, involving new variants with an updated set of threatening features. It is believed that Chinese threat actors involved in cyber espionage are behind the renewed interest in the threat.
The Deed RAT is a modular threat that is delivered via the main module loader. It consists of three separate sections, each carrying different access rights. In turn, the main backdoor is capable of loading and managing plugins with specific functions. For example, the data section contains eight encrypted plugins. In general, each of the identified plugins is capable of performing five utility operations. The network plugin is responsible for extracting the Command-and-Control (C2, C&C) server address as a URL string.
The threat can collect system information, create a separate remote connection that allows the attackers to work with the plugins, deactivate the remote connection, and remove itself to cover the tracks of the hackers. In addition, the Deed RAT can interact with and modify the Windows Registry.