Cybersecurity experts have uncovered a brand-new RAT (Remote Access Trojan) called SectopRAT. When they dissected the threat, it became evident that its authors are still working on it. Various functions are not working, and several modules appear to be far from complete.
Launches a Secondary Desktop
However, despite being a yet-to-be-finished project, the SectopRAT has a very interesting feature. This threat can launch an additional process called ‘explorer.exe’ that will be hidden from the victim. This process launches a second desktop that the user cannot see, but the attackers can operate freely. The second desktop will allow the authors of the SectopRAT to go through the victim’s files, browse the Internet, and alter various settings and configurations on the compromised host. The attackers also can launch a new browser instance. However, if the victims have set up their Web browser manually, instead of using the default installation settings, the SectopRAT may not be able to operate. This is because the attackers have utilized hardcoded directories to run the Web browser (regardless if it is Google Chrome, Mozilla Firefox or Internet Explorer).
Apart from the capabilities listed above, the SectopRAT also can operate the cursor and launch a keyboard module. This means that the attackers’ control is almost unlimited, and they can operate the compromised host almost as if they have taken over it physically. Researchers also discovered that the SectopRAT could change the address of the C&C (Command & Control) server fairly quickly and easily. The SectopRAT has several other capabilities:
- Collect information about the infected machine.
- Disconnect from the compromised system.
The Authors of the SectopRAT are Still Testing the Waters
Experts have detected a few different variants of the SectopRAT that have been uploaded to scanning services that are meant to detect malware. Researchers speculate that this may be the doing of the authors of the SectopRAT. This means that for the moment, the attackers appear to be dipping their toe in the water and testing if their threat will be detected by a security scanner. Among the detected samples was a variant of the SectopRAT, which was disguised as an Adobe Flash Player. This leads us to believe that the SectopRAT may be propagated as a fake copy of the Adobe Flash Player or an update for the application.
Be especially careful when browsing the Web and avoid shady websites that may be hosting dubious content, as this is what many cyber crooks rely on to spread malware. Additionally, you should download and install a reputable anti-malware application that will keep your system secure.