GodRAT Campaign Hits Financial Sector

A new cyber-espionage campaign has emerged targeting financial institutions worldwide, leveraging a sophisticated malware family dubbed GodRAT. Based on the well-known Gh0st RAT codebase, GodRAT demonstrates how legacy malware frameworks are being repurposed and enhanced by advanced threat actors.

Severity Level: High

Threat Details

1. Initial Access
   • Attackers distribute malicious screen saver (.scr) and Program Information File (.pif) executables disguised as financial data.
   • Delivery vector: Skype messenger file transfers.
   • Files use steganography to embed shellcode in image files, bypassing traditional security tools.
2. Execution and Loading
   • Malicious loaders inject shellcode into legitimate processes (e.g., Valve.exe).
   • Shellcode connects to attacker C2 servers, fetching and executing GodRAT DLL payloads.
   • Persistence is achieved via registry run keys
     (HKCU\Software\Microsoft\Windows\CurrentVersion\Run\MyStartupApp).
3. GodRAT Capabilities
   • System reconnaissance: collects OS, hostname, AV presence, and user account info.
   • Process injection: executes inside curl.exe or cmd.exe with the “-Puppet” marker.
   • Command & Control (C2): encrypted and obfuscated traffic with unique packet headers.
   • Plugin support: notably the FileManager plugin, which enables,
     • File exfiltration, creation, deletion, modification, and searches.
     • Execution of arbitrary commands.
     • Deployment of additional payloads.
4. Secondary Implants
   • Password Stealers: Target Chrome and Edge to extract saved credentials.
   • AsyncRAT: Injected via reflective loaders with AMSI/ETW bypasses for stealthy persistence.
5. Attribution
   • Strong links to Winnti APT via:
     • Similarities with AwesomePuppet RAT (2023).
     • Use of “-Puppet” command line parameter.
     • Shared code artifacts with Gh0st RAT.
   • Indicates an evolution of legacy implants repurposed for modern campaigns.
6. Affected Regions: Hong Kong, UAE, Jordan, Lebanon, Malaysia
7. Affected Sectors: Financial Institutions (Brokerage firms, Trading companies, Banks handling corporate customer transactions)

Recommendations

1. Disable or tightly monitor Skype file transfers within corporate environments, especially .scr and .pif file types.
2. Block execution of .scr, .pif, .com, .bat files across endpoints via Group Policy or EDR rules.
3. Harden execution policies with application whitelisting (only allow signed, approved binaries).
4. Enforce detection of DLL sideloading patterns (e.g., Valve.exe + SDL2.dll).
5. Create EDR rules to trigger on processes created with command-line argument “-Puppet” (GodRAT marker).
6. Monitor for execution of binaries from unusual directories:
   • %ALLUSERSPROFILE%\google\chrome.exe (fake Chrome stealer)
   • %ALLUSERSPROFILE%\google\msedge.exe (fake Edge stealer)
7. Monitor and alert on suspicious run key creation:
   HKCU\Software\Microsoft\Windows\CurrentVersion\Run\MyStartupApp
8. Disable saving of credentials in Chrome and Edge within corporate environments.
9. Encourage use of enterprise password managers with MFA enforcement.
10. Block the IOCs at their respective controls
    https://www.virustotal.com/gui/collection/45bede802e3ba31b061c8b1a85f7a397a82e2c2ef0daf240dbbc1b1e3a664bf8/iocs

Source:

• https://securelist.com/godrat/117119/

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn

No related posts found.