Phishing Campaign Spreads the Feature-Packed Babylon RAT
The Babylon Remote Administration Tool (RAT) is back at it with a new phishing campaign spreading the malware, as observed by the analysts at Cofense. Babylon RAT is a feature-packed, open-source threat that can disrupt any network it manages to infiltrate. The sheer amount of versatility that it possesses allows Babylon RAT to be tweaked to the specific goals of the attackers.
Babylon RAT has Plenty of Tools
After Babylon RAT is executed, it establishes a connection to a Command & Control (C&C) server that is hardcoded into the malware's binary. Most likely dynamic domains are used so that IP addresses can be changed without causing any interruptions to the communication with the server. The connection is encoded and it transfers private data about the infected host such as username, PC name, IP address, country, operating system (OS) and even the program window that is currently active. This information is updated every 5 seconds and can be observed on Babylon RAT’s administration panel.
To lower the chances of detection any system infected with Babylon RAT can be turned into a SOCKS proxy. This means that after propagating laterally through the network, all compromised machines can use the created SOCKS proxy as a gateway for the outbound data traffic to the C&C server. Furthermore, through this method email and URL filtering can be bypassed.
Another functionality integrated into Babylon RAT is password recovery. When initiated, the malware will go through the installed applications, including web browsers, and scrape them for credentials. Although the module for password recovery doesn't steal the OS user credentials, Cofense surmises that already having access to the username coupled with just a couple of harvested passwords could easily allow the attackers to compromise the OS credentials, opening a myriad of new security risks for the attacked organization.
Babylon RAT can Launch DoS Attacks
A separate module is responsible for initiating DoS (Denial of Service) attacks. The DoS can be targeted towards a certain hostname or IP range, while parameters such as threads and sockets can be adjusted for one or multiple protocols. A DoS command sent to one of the computer systems can be transferred to the rest of infected hosts resulting in a larger DDoS (Distributed Denial of Service) attack.
With its multitude of functions, Babylon RAT can have devastating effects on any organization that it manages to infect. Adopting appropriate anti-phishing techniques and taking measures to detect and stop threats preemptively is considered to be the preferred course of action when compared to the alternative of having to deal with malware that is already burrowed deep inside the organization’s network infrastructure.