Horus Eyes RAT

The Horus Eyes RAT is a fully-fledged RAT (Remote Access Trojan) threat that is equipped with a vast array of threatening functionalities. The threat was initially sold on an underground hacker forum. However, after a couple of updates, its creator made the Trojan public by publishing it on GitHub. While on their YouTube channel, the Horus Eyes RAT's author states that all of their software products are created for educational purposes, this seems quite insignificant when cybergangs have already started adding the RAT to their malware arsenals due to its potency. 

Technical Details

The Horus Eyes RAT was created as a continuation from the previous threat of the same author named SPYBOXRAT. The Horus Eyes RAT boasts a massively expanded set of capabilities that can make it a useful tool for almost any hacker gang regardless of their specific attack operations. The RAT can perform automated tasks, manipulate the file system on the compromised systems, fetch and deploy additional payloads, harvest sensitive information such as user credentials and browsing history, kill or pause select processes and much more. 

The Horus Eyes RAT Employed in a Banking Trojan Attack

Having easy access to the code of the Horus Eyes RAT gives cybercriminals the opportunity to further customize the threat according to their particular needs. Indeed, a modified version of the Horus Eyes RAT has already been observed to be used as a second-stage payload alongside a previously unknown banking Trojan named Warsaw. The hackers relied on the Horus Eyes RAT to take over the infected systems and then obtain payment and banking credentials. The threat scanned any opened foreground windows and compared their names to a hardcoded list. The threat also collected various details about the system including usernames, OS versions, CPU architecture, computer name, etc. 

As part of the newly added features, the hackers introduced a persistence mechanism via a Registry key that ensured the auto-start of the Trojan on every system boot. They also incorporated the Horus Eyes RAT into their infrastructure by making the threat capable of sending notifications to a Telegram account upon detecting certain user actions on the compromised device.