ReverseRAT, a remote access trojan used in major attack projects targeting organization in South and Central Asia, Called by Black Lotus researchers as ReverseRAT 2.0, the new variant is being used alongside a new agent called NightFury.
- It relies on NightFury instead of AlkaKore, an open-source RAT that was used in the previous iteration.
- The new variant leverages new functionalities and modified command calls related to creating, listing, and deleting registry keys.
- ReverseRAT 2.0 adds new capabilities to capture photos via webcams from infected machines and to steal files from USB connections.
- Researchers spotted an updated version of the preBotHta loader file that helps threat actors to bypass antivirus products.
- The new ReverseRAT 2.0 appears to have targeted organizations in Afghanistan, with a handful in Jordan, India, and Iran.
- The other data collected by the trojan includes MAC address, physical memory on the device, information about the processor, computer name, and IP address.
ReverseRAT continues to stride ahead
- ReverseRAT 2.0 is emerging as a new threat, the previous iteration continues to see its prominence in sophisticated campaigns.
- The SideCopy cybercriminals had expanded their cyberespionage activities to deploy multiple RATs such as DetaRAT, ReverseRAT, MargulasRAT, and ActionRAT on victims’ computers.
- The intrusion had begun in January 2021 and went undetected for around six months.
Researchers anticipate more attacks on government and energy organizations in the South and Central Asia regions in the future. Moreover, the discovery of a new NightFury agent used alongside the 2.0 version of ReverseRAT demonstrates the attackers’ rigorous attempt to further evade detection. However, since most of the attacks rely on phishing emails as a part of the initial infection vector, organizations should take proactive measures in detecting such emails.