Delaware, USA – November 22, 2019 – The fresh Remote Access Trojan was first discovered a week ago by MalwareHunterTeam, prompting researchers from G Data to search for other samples and analyze them. SectopRAT malware is still in an active stage of development, but already has interesting functions, and the detected samples are more likely test versions of the trojan than a full-fledged “combat unit”. The first sample found was compiled on November 13, and the second one – on the next day, the earlier SectopRAT version is signed by Sectigo RSA Code Signing CA, and the later version is unsigned. Discovered samples also use different icons. Malware authors use ConfuserEx for obfuscation and arbitrary characters in file names. For now, SectopRAT contains a RemoteClient.Config class with 4 variables for configuration: mutexName, filename, IP, and retip. Detected versions use only ‘IP’ and ‘retip’ variables to set up the address of the command-and-control server.
The malware tries to mimic the legitimate Microsoft service spoolsv.exe and is capable of streaming an active desktop session or creating a secondary one. It can create a desktop session hidden from view using the hardcoded desktop name “sdfsddfg”, and then adversaries can send the “Init browser” packet to run Chrome, Firefox or Internet Explorer changing browser configuration, using start parameters and modifying registry settings to disable security. Apparently, the attackers will continue to improve their trojan and add functions related to the actions in hidden desktop session. You can use community rule pack available on Threat Detection Marketplace to closely monitor MS Windows and Active Directory security events and discover suspicious activity: https://my.socprime.com/en/integrations/windows-security-monitor