SwaetRAT Malware
SwaetRAT is a Remote Access Trojan (RAT) built as a 32-bit application using the .NET framework. This type of threat enables attackers to gain unauthorized control over a compromised system, allowing them to monitor user activity, extract sensitive information, and execute commands remotely.
Table of Contents
Keylogging and Data Theft
One of SwaetRAT's primary functions is keylogging, which captures every keystroke made by the victim. This capability allows it to record login credentials, financial details, personal messages and other confidential data. Additionally, the RAT scans the 'Log.tmp' file for keywords such as 'Paypal' and 'Binance,' two widely used financial platforms. If any matches are found, the information is transmitted to the attacker's Command-and-Control (C2) server, giving cybercriminals insight into the victim's financial activity.
System Profiling and Command Execution
SwaetRAT gathers various system details, including the unique system ID, username, operating system information, installed security software and whether the user has administrative privileges. Beyond information collection, the RAT supports a range of commands to perform multiple actions on an infected device.
Its capabilities include writing and executing PowerShell scripts, downloading and launching files from remote locations, capturing screenshots, recording screen activity in real-time, creating files on the desktop, and even removing itself from the system. These functionalities can lead to consequences such as identity theft, financial fraud, further infections, and prolonged system compromise.
Infection Chain and Deployment
SwaetRAT is typically delivered through phishing emails that redirect victims to a fraudulent website hosting a compromised ScreenConnect client. When executed, the client connects the infected machine to an attacker-controlled server.
Following this, a VBS script is dropped onto the system, which retrieves additional unsafe code from the Internet. This code is decoded and executed, ultimately leading to the deployment of the Ande Loader, which delivers SwaetRAT as the final payload.
With its extensive control over infected systems, SwaetRAT poses a considerable risk to victims, facilitating data theft, unauthorized surveillance, and further exploitation of compromised devices.
