ReverseRat

A potentially harmful attack campaign employing a previously unknown remote access Trojan (RAT) named ReverseRat has been detected by researchers. The threat, alongside an open-source RAT called AllaKore, has been deployed against a narrow set of select targets operating in critical industry sectors. Some of the identified victims include a foreign government organization, a power transmission company, and a power generation and transmission organization. Nearly all of the organizations that displayed signs consistent with the IoC (Indicators of Compromise) observed in the ReverseRat campaign are located in India with just a small number of victims being from Afghanistan. As for the threat actor responsible for the attacks, it appears to either be operating from Pakistan or to have ties to the country. 

ReverseRat's Capabilities

Once deployed inside the victim's internal network successfully, ReverseRat allows the threat actor to perform numerous threatening activities, depending on their particular goals. Let's start from the start - the threat begins its operation by enumerating the compromised device and collecting various data about it via Windows Management Instrumentation (WMI). Among the gathered information are the device's MAC address, the physical memory connected to it, and numerous CPU details - Max clock speed, model name, manufacturer, etc. ReverseRat also determines the computer name, Operating system, and the public IP address via the .Net framework.

All harvested data is then encoded and sent to a Command-and-Control (C2, C&C) node. ReverseRat then waits to receive an appropriate command that matches its prebuilt functions. The threat actor can instruct the RAT to modify the file structure on the system; run, start or kill specified processes, collect data from the clipboard, take screenshots, and execute arbitrary commands from a hidden cmd.exe window. This base set of functionality, however, could be expanded with additional modules that ReverseRat can download and initiate on the breached system. 

RATs are extremely threatening malware and even organizations that do not fall within the current criteria of the ReverseRat's victims should take the necessary precautions and adjust their security measures.