By Asheer Malhotra.
- Cisco Talos has observed a new version of a remote access trojan (RAT) family known as CRAT.
- Apart from the prebuilt RAT capabilities, the malware can download and deploy additional malicious plugins on the infected endpoint.
- One of the plugins is a ransomware known as “Hansom.”
- CRAT has been attributed to the Lazarus APT Group in the past.
- The RAT consists of multiple obfuscation techniques to hide strings, API names, command and control (C2) URLs and instrumental functions, along with static detection evasion.
- The attack also employs a multitude of anti-infection checks to evade sandbox based detection systems.