Introduction Recently, security research team MalwareHunterTeam that it found a new Troy *** program SectopRAT. *** This can be used to control the browser session on an infected computer, change the browser configuration and disable security measures.
Troy *** SectopRAT new program to control the browser session Troy *** new program to control the browser session SectopRAT
A signed (Sectigo) C# malware, got told possible called "1xxbot" sample:
b1e3b5de12f785c45d5ea3fc64412ce640a42652b4749cf73911029041468e3a
Used to create hidden desktop and run selected browser there with full control.
Related to AsataFar…
cc @James_inthe_box @VK_Intel @Antelox pic.twitter.com/bFPqTmrSp6
- Malware Hunter Team (@malwrhunterteam) November 15, 2019
It is understood that malicious programs mainly by the C # compiler, including a RemoteClient.Config class that has four values can be configured: IP, retip, filename and mutexName. The researchers found that by four variables:
IP variables and Troy *** command and control server related;
retip variable aims to establish a new C2 *** defenses;
you can use the "set IP" command to overwrite server these defense systems;
set the file name and the name mutex, but not active.
In addition, the researchers also found that the software seems to have some drawbacks: First, do not use hard-coded path environment variable to access system files; secondly, the command decoder information compiled after the acquisition has not been completed.
The researchers said that, despite some obvious flaws of the program, but the technology involved in the program who have *** show a certain expertise, so experts suspect that the *** may be just a test product.
For more information, please see Linux: https://www.linuxprobe.com