An unusual attack tool has caught the attention and peaked the curiosity of G DATA analyst Hendrik Eckardt.
The discovered RAT is apparently designed for networks where people take an annoyingly close - for the attackers - look at what is happening.
The malware, called CSharp-Streamer, stands out first because it is installed using a heavily obfuscated Powershell script.
Undoing this obfuscation in order to find out what the script does is extremely tedious, although possible.
Under the hood things are quite straightforward - not only is there no obfuscation, but the software immediately reveals what you are dealing with.
There is a hodgepodge of different tools, all of which are freely available.
From keyloggers and a variant of Mimikatz to injection tools for DLL files, there is a lot on offer.
The range of functions goes beyond that of other RATs: in addition to a keylogger, there is also a tool that can upload files directly to a file hosting service via a corresponding API. Targeted The tool is obviously designed to prepare the rollout of ransomware.
The most important functions for this - stealing access data, exploring the network to spread laterally and tapping information - are available.
In other words, csharp-streamer has all the means for the now almost classic double extortion.
If affected companies do not pay a ransom for decryption, the perpetrators threaten to publish the captured data on the Internet.
It can safely be assumed that groups of criminals follow through on these threats in the majority of cases.
Hidden A special feature is one of the options that csharp-streamer uses for communication.
This option is used when other communication protocols cannot get past a firewall.
Although this is not completely uncommon, it is nevertheless unusual.
This makes communication as a whole more resistant to restrictive firewall configurations.
Such restrictive control by firewalls is not common in most smaller networks, which suggests that csharp-streamer is designed for use in larger corporate networks where there are more restrictions imposed by firewalls.
One assumption is that individuals or entire teams who originally worked for REvil have switched to this group.
Because even in the underworld, the you have a lot of revolving doors.
All technical details about csharp-streamer can be found in our Analysis on the blog of G DATA Advanced Analytics at www.
This Cyber News was published on www.gdatasoftware.com. Publication date: Wed, 06 Dec 2023 15:43:05 +0000