LimeRAT is open-source remote access trojan featuring an easy to use configuration and control interface. It has undergone several feature improvements as a result of its open-source nature, and its accessibility has made it a popular choice with less skilled attackers.
Whilst LimeRAT has currently only been observed being delivered via phishing campaign, its open-source nature means other distribution methods may be easily used in future campaigns.
Once the payload has been delivered to a user, LimeRAT connects to a command and control server before sending information about the operating system and hardware of the affected system. Using the control interface, the attacker can then choose its behaviour based upon the options built into the payload. At present, the following functionality has been observed:
- Download and execution of additional files.
- Encryption of user files.
- Deployment of a Monero cryptocurrency miner.
- Enabling Remote Desktop Protocol.
- Stealing information, including simple keylogging.
- Spreading to other machines by replacing files on USB devices and overwriting shortcut paths of pinned task bar applications.
Indicators of Compromise
SHA256 File Hashes
- Coded in Visual Basic .NET, Client required framework 2.0 or 4.0 dependency, And server is 4.0
- Using pastebin.com as ip:port , Instead of noip.com DNS. And Also using multi-ports
- Using plugin system to decrease stub’s size and lower the AV detection
- The communication between server & client is encrypted with AES
- Infecting all files and folders on USB drivers
- Low AV detection and undetected startup method
- Payload size is about 25 KB
- Anti Virtual Machines
- Uninstall itself if the machine is virtual to avoid scanning or analyzing
- Encrypting files on all HHD and USB with .Lime extension
- XMR Miner
- High performance Monero CPU miner with user idle\active optimizations
- Creating a powerful DDOS attack to make an online service unavailable
- Crypto Stealer
- Stealing Cryptocurrency sensitive data
- Prevents user from accessing their Windows GUI
- And more
- On Connect Auto Task
- Force enable Windows RDP
- File manager
- Passowrds stealer
- Remote desktop
- Bitcoin grabber