By GoldSparrow in Remote Administration Tools

McRAT is a Trojan dropper with backdoor capabilities that are typically used as one stage of a multi-component malware attack. McRAT has been used in several recent high-profile attacks involving vulnerabilities in the Java Runtime Environment. Like most malware infections, McRAT is planned to infect computers executing the Windows operating system. Once McRAT has infected a computer, McRAT establishes a connection with a remote server, creates a backdoor in the victim's computer, and downloads and executes other malicious files. McRAT is often an essential part of complex malware attacks that can result in invasions of privacy, the loss of your data and scams designed to steal your money. To protect your computer from a malware attack involving McRAT, ESG security researchers suggest the use of an accurate anti-malware scanner to protect your machine at all times. McRAT has been associated with Java exploits, meaning that it is necessary to keep your version of Java updated, to apply the most recent security patches and to avoid using Java if it isn't essential.

McRAT is designed to download other malware threats and install them on the victim's computer. Once McRAT enters a computer, usually by taking advantage of Java exploits or through social engineering techniques, McRAT creates several files, including a malicious DLL file. Then, McRAT makes harmful changes to the infected computer's Windows Registry that allows McRAT to start automatically as soon as the infected computer starts up. Taking advantage of other running memory processes, McRAT can execute its malicious code and download information from a remote server without the victim's knowledge or authorization.

Once McRAT is installed, McRAT is typically used to download other malware from a remote location. However, McRAT can be used on its own to carry several dangerous tasks on the victim's computers. McRAT has the ability to steal information from the infected computer. This can vary from basic information such as the infected computer's version of Windows, to important data such as the victim's account names and passwords. This information can be sent to a remote server by using regular HTTP through an unauthorized network connection.

File System Details

McRAT may create the following file(s):
# File Name Detections
1. C:\Documents and Settings\\AppMgmt.dll

Registry Details

McRAT may create the following registry entry or registry entries:
HKEY_LOCAL_MACHINE\SYSTEM\SYSTEM\ControlSet001\Services\AppMgmt\Parameters\"ServiceDll" = %SystemRoot%\System32\appmgmts.dll
HKEY_LOCAL_MACHINE\SYSTEM\SYSTEM\ControlSet001\Services\AppMgmt\Parameters\"ServiceDll" = C:\Documents and Settings\admin\AppMgmt.dll


Most Viewed