RotBot

Type of Malware

Remote Access Trojan

Country of Origin

Vietnam

Date of initial activity

2024

Associated Groups

CoralRaider

Targeted Countries

India, China, South Korea, Bangladesh, Pakistan, Indonesia, Vietnam

Motivation

It performs reconnaissance of system data on the victim machine. Download other malwares.

Attack vectors

It is downloaded and runs on the victim machine disguised as a Printer Subsystem application “spoolsv.exe.”

Targeted systems

Windows

Overview

RotBot is a variant of the QuasarRAT client that the CoralRaider threat actor has customized and compiled for the January 2024 campaign.

Targets

Windows devices in India, China, South Korea, Bangladesh, Pakistan, Indonesia, Vietnam.

How they operate

During its initial execution, RotBot performs several checks on the victim’s machine to evade detection, including IP address, ASN number, and running processes of the victim’s machine. It performs reconnaissance of system data on the victim machine. Talos that RotBot discovered in the January 2024 campaign creates mutex in the victim machine as the infection markers​​ using the hardcoded strings in the binary

Significant Malware Campaigns

• The threat actor uses a Telegram bot, as a C2, to exfiltrate the victim’s data. (April 2024)

References:

• CoralRaider targets victims’ data and social media accountsUpdated StrelaStealer Targeting European Countries.

• CoralRaider targets social media accounts.

The post RotBot (Remote Access Tool) – Malware first appeared on CyberMaterial.