WebRAT is an information-stealing backdoor that first appeared earlier this year, originally spreading via cheats for popular games like Roblox and Counter-Strike. Security reports indicate the malware is capable of harvesting credentials for platforms such as Steam, Discord, and Telegram, while also stealing cryptocurrency wallet data and spying on victims via webcams.
Since September, the operators have shifted their focus toward creating sophisticated GitHub repositories that mimic legitimate security research. These repositories claim to host exploits for significant vulnerabilities, including critical bugs in Windows MSHTML and WordPress plugins. Researchers believe the descriptive text in these repositories was generated using artificial intelligence to increase their perceived legitimacy.
GET 50% Discount for VPN/ANTIVIRUS SOFTWARE AT 911Cyber - CODE: bit5025
The infection process begins when a user downloads a password-protected ZIP file containing a complex execution chain. This package includes a decoy DLL file, a batch script, and a primary dropper executable. To bypass security measures, the dropper is designed to elevate its system privileges and actively disable Windows Defender before pulling the final malware payload from a remote server.
Once the malware is active on a system, it employs multiple techniques to ensure it remains hidden and persistent. It modifies the Windows Registry, utilizes the Task Scheduler to run automatically, and hides its components within random system directories. This makes the malware difficult to remove manually even after the initial intrusion has been detected.
Analysis from Kaspersky suggests that while the delivery method has become more sophisticated, the malware itself remains consistent with earlier versions. The core capabilities of the current WebRAT variant match previously documented samples, confirming that the attackers are simply finding more creative ways to deploy their existing toolkit against a new demographic of targets.
Source: Webrat Malware Spread Via Fake Vulnerability Exploits On Github