Cybercriminals are exploiting popular gaming utilities, distributing them through browsers and chat platforms to infect users with a sophisticated Java-based Remote Access Trojan (RAT). This malware is designed for stealthy execution and data exfiltration, posing a significant threat to unsuspecting gamers and users.

Key Takeaways

• Trojanized gaming tools are being used to spread a Java-based RAT.

• Distribution occurs via browsers and chat platforms.

• The malware employs stealthy execution techniques and aims for persistence.

• It can exfiltrate data and deploy additional malicious payloads.

Stealthy Infiltration and Execution

The attack begins with a malicious downloader that stages a portable Java runtime. It then executes a malicious Java archive file, disguised as a legitimate tool. To evade detection, the downloader utilizes PowerShell and built-in Windows binaries like for stealthy execution. Furthermore, the attack chain is designed to remove the initial downloader and configure Microsoft Defender exclusions for the RAT components, making it harder to detect and remove.

Establishing Persistence and Command-and-Control

Once the RAT is deployed, it establishes persistence on the compromised system through a scheduled task and a Windows startup script, often named "world.vbs." This ensures the malware remains active even after reboots. The malware functions as a multi-purpose tool, acting as a loader, runner, downloader, and the core RAT. It then connects to an external command-and-control (C2) server located at "79.110.49[.]15" to receive instructions, exfiltrate sensitive data, and download further malicious payloads.

Defense and Mitigation Strategies

Microsoft Threat Intelligence advises users to take several steps to defend against this threat. These include auditing Microsoft Defender exclusions and scheduled tasks for any suspicious entries, removing any identified malicious tasks and startup scripts, isolating affected endpoints immediately, and resetting credentials for users who were active on compromised hosts. Proactive monitoring and security hygiene are crucial in combating such evolving threats.

Broader RAT Landscape

This incident highlights a growing trend in sophisticated RAT malware. Recently, BlackFog disclosed details about Steaelite, a new Windows RAT family advertised on criminal forums with "fully undetectable" capabilities. Steaelite uniquely bundles data theft and ransomware functionalities, offering a comprehensive web panel for operators. It also includes features like keylogging, client-to-victim chat, file searching, wallpaper modification, and UAC bypass. Other recently discovered RATs, such as DesckVB RAT and KazakRAT, also offer extensive remote control capabilities, with KazakRAT suspected to be part of a state-affiliated campaign targeting specific entities.

Sources

• Trojanized Gaming Tools Spread Java-Based RAT via Browser and Chat Platforms, The Hacker News.