SectopRAT is a newly observed .NET-based remote access trojan sold through hacking forums. Despite its use in a number of ongoing campaigns, it appears to still be in active development, with a number of unusable features.
At the time of publication, it is unclear how SectopRat is delivered, although there are unconfirmed reports indicating it may be distributed via watering hole attacks or drive-by-downloads.
Once installed, SectopRAT will attempt to connect to a command and control server using a hard-coded IP address before awaiting further commands, which are sent as specific byte values within network packets. By default, Sectops is able to perform the following actions:
- Collect user and system information
- Monitor mouse and keyboard inputs
- Launch hidden web browser sessions
- Download and install secondary payloads
SectopRAT is used in the wild but still looks unfinished and in parts hastily done. Some of the class names and also the name of the second desktop look like they were produced while trying to type arbitrarily on the keyboard because the keys are right next to each other and repeated by finger motion.
Despite obvious flaws like using hardcoded paths without environmental variables to access system files, the RAT’s architecture, the use of a second desktop and changes in browser configuration files and parameters show some internal knowledge that is far from a greenhorn. It is quite possible that the first samples in the wild are merely for testing. We expect to see new versions with additional features in the future.
Indicators of Compromise
Burataslop.exe and blad.exe
Deobfuscated SectopRAT – SHA256
Veerfus413.exe and bssd.exe