Cisco Talos has recently discovered a new version of the CRAT malware family. This version consists of multiple RAT capabilities, additional plugins and a variety of detection-evasion techniques. In the past, CRAT has been attributed to the Lazarus Group, the malicious threat actors behind multiple cyber campaigns, including attacks against the entertainment sector. Indicators and tactics, techniques and procedures (TTPs) discovered by this investigation resemble those of the Lazarus Group.
How did it work?
The attack consists of a highly modular malware that can function as a standalone RAT and download and activate additional malicious plugins from its C2 servers. Cisco Talos has discovered multiple plugins so far, consisting of ransomware, screen-capture, clipboard monitoring and keylogger components.
So what?
This attack demonstrates how the adversary operates an attack that:
- Uses obfuscation and extensive evasion techniques to hide its malicious indicators.
- Has evolved across versions to achieve effectiveness of their attack.
- Employs a highly modular plugin framework to selectively infect targeted endpoints.
- Most importantly, it deploys RAT malware to ransack the endpoint, followed by deployment of ransomware to either extort money or burn infrastructure of targeted entities.
Distribution vector
The first version of CRAT has been known to be distributed via malicious HWPs. The HWPs masquerade as a COVID-19 themed document pertaining to an infectious disease management support group from South Korea. The HWPs consisted of an exploit for
CVE-2017-8291 used to activate malicious shellcode. The shellcode would then download and execute CRATv1 on the infected endpoint.
The distribution vector of the new version of CRAT (v2) is currently unknown. However, it is highly likely the attackers may have re-used a maldoc-based infection vector to spread CRATv2 as well.
blog.talosintelligence.com
![[correlate]](/data/avatars/s/79/79653.jpg?1556985072){kind=avatar}