Often, cybercriminals who develop their own hacking tools opt to sell them publicly to make some quick cash. This is the case with the Saefko RAT (Remote Access Trojan). This RAT appears to be mainly used for espionage and offers the users who buy it a great insight into the habits of the victims they choose to target. This helps them tailor a better approach to trick the targets potentially.

Saefko is distributed the way most other malware of this kind is - through malicious links and attachments in spam emails, as well as through the download of fake software cracks or key generators that are really malware payloads. The Saefko executable is usually named "saefkoagent.exe" and is dropped in the system's \AppData\Roaming directory, along with a second copy in the same directory renamed to "windows.exe". Another copy of the same malware executable is copied to \AppData\Local and named explorer.exe.

New keys are added to the Windows registry so Saefko can ensure persistence and run on every system boot. In case the malware executes on an admin account, the new key is created under "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer". In case of any other form of account privileges, the new key is under "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer".

Digs through Browser History

Once the Saefko RAT is triggered, it wil establish a connection with a legitimate Google service immediately. This will help the RAT find out whether the system is connected to the Internet or not. If the compromised host is connected to the Web, the Saefko RAT will begin searching through the browser history of the victim. This RAT is looking for URLs that are linked to a few categories:

  • Cryptocurrency.
  • Finance.
  • Gaming.
  • Business.
  • Social Media.
  • Shopping.

All the relevant data is then gathered and transferred to the C&C (Command & Control) server of the operators. Additional data that the Saefko RAT collects is system information like username, geolocation, IP address, hardware, software, etc.

Gains Persistence and Continues the Attack

Then, the Saefko RAT applies changes to the Windows Registry to grant itself persistence on the compromised machine. Once this is done, the Saefko RAT will be able to execute a list of tasks such as:

  • Loading Web pages.
  • Taking screenshots.
  • Recording video of the desktop.
  • Downloading and executing files.
  • Opening and closing the CDROM.
  • Commanding the threat to upload the keylogger log file.
  • Receiving system details.
  • Accessing the Webcam.
  • Executing commands using the line tool.
  • Uninstalling itself.

The Saefko RAT also can:

  • Infect any connected removable storage devices.
  • Trigger a keylogger feature, which will collect the keystrokes in a 'log.txt' file.
  • Establish a connection to an Internet Relay Chat (IRC) server & channel that the attackers can use to transmit commands to the malware payload on the victim's machine.

The malware also has the ability to copy itself onto removable drives as a means of spreading further. Saefko drops "Sas.exe", "USBStart.exe" and "usbspread.vbs" onto the removable drive. The malware hides all real directories (folders) and files on the infected drive and only leaves a .lnk shortcut for the user to click. The shortcut executes USBStart.exe, which in turn starts the main payload disguised as Sas.exe.

As you can see, the Saefko RAT has a long list of features, which can cause great harm. However, this threat also is rather pricey so that, hopefully, not many cybercriminals will be able to afford it. We would suggest you to have a legitimate anti-malware tool, which will keep your PC safe from threats like the Saefko RAT.

Related Posts


Most Viewed