Sisfader RAT Description
The Sisfader RAT (Remote Access Trojan) is a threat that malware analysts first spotted back in April 2018. It would appear that the authors of the Sisfader RAT have been propagating this Trojan with the help of corrupted RTF documents, which are capable of exploiting the CVE-2017-8570 vulnerability in the targeted systems. The corrupted RTF documents in question would contain the payload of the Sisfader RAT. The Sisfader RAT has all the capabilities of a regular RAT with some extra features sprinkled on top. Some of the extra features of the Sisfader RAT appear to be rather atypical for a threat of this kind.
In 2018 the creators of the Sisfader RAT were propagating the threat via phishing emails. The targeted user would receive an email that contains anRTF documentan as an attached file. The document appeared to be of urgent importance, which increased the chances of the user reviewing it as soon as they receive the email. The attackers had written the document in Russian entirely. While the user is reading the document they were sent, the Sisfader RAT would execute and start running in the background. This way, the victim may not even realize that their system has been compromised.
The Sisfader RAT may delay its start as a method of avoiding malware debugging environments. The Sisfader RAT makes sure that it only runs when the user launches the Microsoft Word service. This is done by dropping a file in the ‘STARTUP’ directory of Microsoft Word. This is what is regarded as a delayed start, and it comes to show us that the attackers know how to make the work of malware analysts more difficult. The Sisfader RAT also will gain persistence on the infected computer by tampering with the system’s Windows Registry.
Once the Sisfader RAT establishes a connection with its operators’ C&C (Command & Control) server and is running on the compromised PC as intended, it will be able to:
- Fetch files from the C&C server and plant them on the infected system.
- Collect files from the infected system and transfer them to the C&C server.
- Delete files.
- Look for specific files in certain directories.
- Collect data regarding the system’s software and hardware.
- Start processes on the infected system.
- Apply updates to itself.
The creators of the Sisfader RAT have not made this hacking tool publicly available, which is likely the reason why it has not been very active since it was first spotted in 2018. Make sure your computer and data are protected by a reputable anti-virus application.