The S-400 RAT is a Remote Access Trojan (RAT) that possesses a diverse range of intrusive capabilities. RATs are extremely harmful threats, and the presence of one on your computer represents a massive security risk, necessitating an immediate and decisive reaction. Indeed, the S-400 should be dealt with as soon as possible, as any prolonged presence on the device will increase the chances of the attackers fulfilling their goals.
After analyzing the threat, cybersecurity researchers discovered that it is capable of acting as a backdoor, infostealer, crypto-miner, keylogger and clipper. The S-400 RAT also is equipped with various anti-analysis techniques. For example, the threat performs several checks, in an attempt to determine if it is being executed in a virtual machine or a sandbox environment.
Immediately after being established on the targeted system, S-400 will start collecting important system data that will be transmitted to the attackers. Afterward, it will establish a backdoor channel, which allows the hackers to assume near full control over the compromised device if they wanted to.
The S-400 RAT can harvest vast amounts of private data that it extracts from the installed browsers and other applications. The targeted data may include account credentials, financial and banking details, other information saved as an autofill option, the entire search and browsing history and more. To complement its data-collecting functionality, the S-400 RAT also can establish keylogging routines that will capture any button press on the keyboard or mouse.
The attackers also can instruct S-400 to activate its crypto-mining capabilities. In this case, the threat will hijack the system's hardware resources and use them to mine for a chosen cryptocurrency. Depending on the severity of the situation, the system could begin to struggle with even basic operations, as the threat will occupy the CPU or GPU capacity completely.
Finally, via its clipper abilities, S-400 could substitute the data saved in the copy/paste buffer memory space. This technique is commonly used by hackers to switch the crypto-wallet address saved by the user with their own, thus rerouting the transferred funds to accounts under their control.