SectopRAT Remote Access Trojan

SectopRAT is a newly observed .NET-based remote access trojan sold through hacking forums. Despite its use in a number of ongoing campaigns, it appears to still be in active development, with a number of unusable features.

At the time of publication, it is unclear how SectopRat is delivered, although there are unconfirmed reports indicating it may be distributed via watering hole attacks or drive-by-downloads.

Once installed, SectopRAT will attempt to connect to a command and control server using a hard-coded IP address before awaiting further commands, which are sent as specific byte values within network packets. By default, Sectops is able to perform the following actions:

• Collect user and system information
• Monitor mouse and keyboard inputs
• Launch hidden web browser sessions
• Download and install secondary payloads

SectopRAT is used in the wild but still looks unfinished and in parts hastily done. Some of the class names and also the name of the second desktop look like they were produced while trying to type arbitrarily on the keyboard because the keys are right next to each other and repeated by finger motion.

Despite obvious flaws like using hardcoded paths without environmental variables to access system files, the RAT’s architecture, the use of a second desktop and changes in browser configuration files and parameters show some internal knowledge that is far from a greenhorn. It is quite possible that the first samples in the wild are merely for testing. We expect to see new versions with additional features in the future.

Indicators of Compromise

File Details

Burataslop.exe and blad.exe

SHA256

b1e3b5de12f785c45d5ea3fc64412ce640a42652b4749cf73911029041468e3a

URL

hxxp://45.142.213.230

---

Deobfuscated SectopRAT – SHA256

4409d2170aa9989c6a8dd32b617c51a7c3e328b3c86410813c016691b2bd7774

---

File Details

Veerfus413.exe and bssd.exe

SHA256

d5a3d47e1945e9d83a74a96f02a0751abd00078ee62e6d3a546a050e0db10d93

URL

hxxp://45.142.213.230