A remote access trojan (RAT) with capabilities ranging from stealing credentials stored in browsers to accessing a victim’s webcam is making the rounds. Dubbed KilerRat, it is for now being used by groups in the Middle Eastern region, though it appears to have a global reach.
This RAT could be classified as a variant of the well-known NJrat, according to AlienVault. The firm said that they share many similar features, such as their display style, various capabilities and a general template for communication methods.
“However, where NJrat left off, KilerRat has taken over,” explained AlienVault researcher Peter Ewane, in a blog. “KilerRat is a very feature-rich RAT with an active development force that is rapidly gaining in popularity.”
The RAT allows an attacker to do many things, including: Delete, edit, rename, copy, paste, download, create new folders/files in addition to navigating the file system; list, suspend, resume, kill, and kill and delete processes; start a Remote Desktop session; obtain access to the victim's system camera and display a live feed; open a reverse shell on the victim, which allows the attacker to input commands directly on the system; manipulate the victim's system registry (create, edit, delete keys and values); keylogging; and collect stored passwords in various browsers.
Like NJrat, the infected victims of KilerRat when connecting to the command & control (CnC) will send information about the victim system, malware version, open windows, etc. Also through the CnC server software, the attacker has capabilities to create and configure the malware to spread utilizing physical devices, such as USB drives, but also to use the victim as a pivot-point to gain more access laterally throughout the network.
“Even though this RAT is built upon the well-known NJrat, at the time of testing many antivirus tools had a difficult time detecting around the time of its release,” said Ewane. “That being said, there are several ways one could detect a KilerRat infection. One way is utilizing YARA rules for NJrat, as many of them trigger on KilerRat due to their shared codebase.”