LimeRAT Remote Access Trojan

LimeRAT is open-source remote access trojan featuring an easy to use configuration and control interface. It has undergone several feature improvements as a result of its open-source nature, and its accessibility has made it a popular choice with less skilled attackers.

Whilst LimeRAT has currently only been observed being delivered via phishing campaign, its open-source nature means other distribution methods may be easily used in future campaigns.

Once the payload has been delivered to a user, LimeRAT connects to a command and control server before sending information about the operating system and hardware of the affected system. Using the control interface, the attacker can then choose its behaviour based upon the options built into the payload. At present, the following functionality has been observed:

  • Download and execution of additional files.
  • Encryption of user files.
  • Deployment of a Monero cryptocurrency miner.
  • Enabling Remote Desktop Protocol.
  • Stealing information, including simple keylogging.
  • Spreading to other machines by replacing files on USB devices and overwriting shortcut paths of pinned task bar applications.

Indicators of Compromise

IP Addresses

  • 1.4.1[.]0


SHA256 File Hashes

  • 27a3fc452725be3bbf5e82f96228b16bedd8747bbf5638c8277e7c76f07c857c

Main Features

  • .NET
    • Coded in Visual Basic .NET, Client required framework 2.0 or 4.0 dependency, And server is 4.0
  • Connection
    • Using as ip:port , Instead of DNS. And Also using multi-ports
  • Plugin
    • Using plugin system to decrease stub’s size and lower the AV detection
  • Encryption
    • The communication between server & client is encrypted with AES
  • Spreading
    • Infecting all files and folders on USB drivers
  • Bypass
    • Low AV detection and undetected startup method
  • Lightweight
    • Payload size is about 25 KB
  • Anti Virtual Machines
    • Uninstall itself if the machine is virtual to avoid scanning or analyzing
  • Ransomware
    • Encrypting files on all HHD and USB with .Lime extension
  • XMR Miner
    • High performance Monero CPU miner with user idle\active optimizations
  • DDoS
    • Creating a powerful DDOS attack to make an online service unavailable
  • Crypto Stealer
    • Stealing Cryptocurrency sensitive data
  • Screen-Locker
    • Prevents user from accessing their Windows GUI
  • And more
    • On Connect Auto Task
    • Force enable Windows RDP
    • Persistence
    • File manager
    • Passowrds stealer
    • Remote desktop
    • Bitcoin grabber
    • Downloader
    • Keylogger

Duncan Newell

Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: