SquirtDanger RAT Botnet
SquirtDanger is a newly observed remote access trojan and botnet being sold on several dark net sites.
At the time of publication, it is unclear how SquirtDanger is being delivered though there are unconfirmed reports indicating it is being delivered through spam campaigns conducted by the botnet itself. Once delivered, SquirtDanger will create and installation directory and copy itself to it.
Once this is done it will create a new instance of itself before terminating the original process. SquirtDanger will then create a new executable to act as a persistence mechanism. If the exectuable does not detect an instance of SquirtDanger present it will write a new copy to disk and spawn a new instance.
It allows hackers to take action screenshots and steal passwords, to download files and even steal the contents of cryptocurrency wallets.
SquirtDanger comes with a wealth of functionality, including the following:
- Take screenshots
- Delete malware
- Send file
- Clear browser cookies
- List processes
- Kill process
- List drives
- Get directory information
- Download file
- Upload file
- Delete file
- Steal wallets
- Steal browser passwords
- Swap identified wallets in the victim’s clipboard
- Execute file
For a full list of C2 servers, as well as their first seen timestamps, please refer to the following link.
For a full list of distribution servers, as well as their first seen timestamps, please refer to the following link
Affected Platforms
Microsoft Windows – All versions
Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.