Recently, security research team MalwareHunterTeam that it discovered a new Trojan horse program SectopRAT. The Trojan can be used to control the browser session on an infected computer, change the browser configuration and disable security measures.
A signed (Sectigo) C# malware, got told possible called "1xxbot" sample: b1e3b5de12f785c45d5ea3fc64412ce640a42652b4749cf73911029041468e3a
Used to create hidden desktop and run selected browser there with full control.
Related to AsataFar…
cc @James_inthe_box @VK_Intel @Antelox pic.twitter.com/bFPqTmrSp6
- Malware Hunter Team (@malwrhunterteam) November 15, 2019
It is understood that malicious programs mainly by the C # compiler, including a RemoteClient.Config class that has four values can be configured: IP, retip, filename and mutexName. The researchers found that by four variables: 1 IP variable and Trojan horses command and control server related; secondly, retip variable C2 aims to establish a new intrusion prevention system; 3. You can use "set IP" command override the server. These defense systems; fourth, set the file name and the name mutex, but not active.
In addition, the researchers also found that the software seems to have some drawbacks: First, do not use hard-coded path environment variable to access system files; secondly, the command decoder information compiled after the acquisition has not been completed.
The researchers said that, despite some obvious flaws of the program, but the technology involved in the program showed that the attacker has a certain expertise, so experts suspect that the Trojan could just be a test product.