By GoldSparrow in Botnets

MgBot is the name of a nasty RAT (Remote Access Trojan) that appears to be the product of a Chinese-based hacking group. According to malware analysts, the MgBot threat appears to be created by an APT (Advanced Persistent Threat), which points to experienced and skilled cybercriminals clearly. The MgBot RAT also is known under the aliases Mgmbot and Blame.

After studying this RAT, security experts found multiple strings written in Chinese, which led them to believe that the authors of this threat originate from China. The cyber crooks behind the MgBot RAT appear to have begun spreading this Trojan actively at the beginning of July 2020. The authors of the threat used spam emails that targeted users located both in India and Hong Kong. The MgBot Trojan is not a threat that targets regular users. The creators of the MgBot RAT appear to go after political figures and government bodies only.

In the early campaigns, the MgBot RAT was delivered alongside a variant of the infamous Cobalt Strike framework. However, in the latest campaigns that distributed the MgBot Trojan, the threat was delivered via a bogus macro-laced document. Once the MgBot threat manages to infiltrate the target, it will carry out several advanced checks to establish whether it is being run in a sandbox environment or a regular system. The MgBot RAT is able to determine this by checking for the presence of:

  • Software that is used for malware debugging and threat analysis.
  • Processes, Registry entries, and drivers that are associated with sandbox environments.

The MgBot Trojan also looks for various security modules that are associated with anti-malware utilities. If this threat detects any of the listed components, it will cease its activity.

If the MgBot RAT does not determine any software or module that may prevent it from running as intended, it will begin the attack by masking itself as a legitimate Realtek Audio Driver. This way, the MgBot RAT's activity may remain unnoticed by the user. Once the MgBot Trojan is running on the compromised system, it will allow its operators to:

  • Run remote commands.
  • Manage directories and files.
  • Manage active services and processes.
  • Run a keylogging module that is designed to collect the victim's keystrokes.
  • Take screenshots of the user's active windows, as well as their desktop.

The MgBot RAT is not a threat that users should underestimate. This nasty Trojan allows its operators to carry out reconnaissance operations, which may be rather threatening, having in mind that it targets high-ranking politicians and various government organizations.


Most Viewed