Saefko Description

Often, cybercriminals who develop their own hacking tools opt to sell them publicly to make some quick cash. This is the case with the Saefko RAT (Remote Access Trojan). This RAT appears to be mainly used for espionage and offers the users who buy it a great insight into the habits of the victims they choose to target. This helps them tailor a better approach to trick the targets potentially.

Digs through Browser History

Once the Saefko RAT is triggered, it wil establish a connection with a legitimate Google service immediately. This will help the RAT find out whether the system is connected to the Internet or not. If the compromised host is connected to the Web, the Saefko RAT will begin searching through the browser history of the victim. This RAT is looking for URLs that are linked to a few categories:

  • Cryptocurrency.
  • Finance.
  • Gaming.
  • Business.
  • Social Media.
  • Shopping.

All the relevant data is then gathered and transferred to the C&C (Command & Control) server of the operators. Additional data that the Saefko RAT collects is system information like username, geolocation, IP address, hardware, software, etc.

Gains Persistence and Continues the Attack

Then, the Saefko RAT applies changes to the Windows Registry to grant itself persistence on the compromised machine. Once this is done, the Saefko RAT will be able to execute a list of tasks such as:

  • Loading Web pages.
  • Taking screenshots.
  • Recording video of the desktop.
  • Downloading and executing files.
  • Opening and closing the CDROM.
  • Commanding the threat to upload the keylogger log file.
  • Receiving system details.
  • Accessing the Webcam.
  • Executing commands using the line tool.
  • Uninstalling itself.

The Saefko RAT also can:

  • Infect any connected removable storage devices.
  • Trigger a keylogger feature, which will collect the keystrokes in a 'log.txt' file.
  • Establish a connection to an Internet Relay Chat (IRC) server & channel that the attackers can use to transmit commands to the malware payload on the victim's machine.

As you can see, the Saefko RAT has a long list of features, which can cause great harm. However, this threat also is rather pricey so that, hopefully, not many cybercriminals will be able to afford it. We would suggest you to have a legitimate anti-malware tool, which will keep your PC safe from threats like the Saefko RAT.

How Can You Detect Malware?

Download SpyHunter's Detection Scanner
to Detect Malware.
* SpyHunter's scanner is only for malware detection. If SpyHunter detects malware on your PC, you will need to purchase SpyHunter's malware removal tool to remove the malware threats. Read more on SpyHunter. If you no longer wish to have SpyHunter installed on your computer, follow these steps to uninstall SpyHunter.

Site Disclaimer is not associated, affiliated, sponsored or owned by the malware creators or distributors mentioned on this article. This article should NOT be mistaken or confused in being associated in any way with the promotion or endorsement of malware. Our intent is to provide information that will educate computer users on how to detect, and ultimately remove, malware from their PC with the help of SpyHunter and/or manual removal instructions provided on this article.

This article is provided "as is" and to be used for educational information purposes only. By following any instructions on this article, you agree to be bound by the disclaimer. We make no guarantees that this article will help you completely remove the malware threats on your PC. Spyware changes regularly; therefore, it is difficult to fully clean an infected machine through manual means.

Leave a Reply

Please DO NOT use this comment system for support or billing questions. For SpyHunter technical support requests, please contact our technical support team directly by opening a customer support ticket via your SpyHunter. For billing issues, please refer to our "Billing Questions or Problems?" page. For general inquiries (complaints, legal, press, marketing, copyright), visit our "Inquiries and Feedback" page.