Friday, March 17, 2017
Home / Malware / Analysis / StealRAT pops back up in 2014

StealRAT pops back up in 2014

StealRAT was more of a botnet that piggy backed onto many breached WordPress sites back in July of 2013.  StealRAT is a advancement in mass-mailing or spamming.  As new spam detection is released and put into place, spammers must find ways to circumvent these new technologies.

TrendMicro was one of the first companies to discover this piece of malware, the methods of the malware consists of 3 essential things, as stated in their blog post:

  • Compromised website for sending spam
  • Compromised systems for harvesting and delivering the spam data
  • Compromised website for delivering the payload

stealrat_infectiondiagram_final

 

Just recently, it has been re-discovered by a individual researcher and posted to his blog.  What’s interesting about this discovery, is it was located on a server with a Joomla 2.5 installation, which has no known exploits and after checking the logs, no zero-days or exploits were seen.

StealRAT description can be found here.

Obfuscated and de-obfuscated PHP files found on infected server can be found here.

About FastFlux

Owner of ZeroSecurity, interested in programming, malware analysis and penetration testing. If you would like to write for the ZeroSecurity team, please use the contact form above.

Check Also

Silent OS 3.0 for Blackphone Completely revamped

Version 3.0 migrates Silent OS to Android Marshmallow 6.0.1 and delivers the Android safety patch …