StealRAT was more of a botnet that piggy backed onto many breached WordPress sites back in July of 2013. StealRAT is a advancement in mass-mailing or spamming. As new spam detection is released and put into place, spammers must find ways to circumvent these new technologies.
TrendMicro was one of the first companies to discover this piece of malware, the methods of the malware consists of 3 essential things, as stated in their blog post:
- Compromised website for sending spam
- Compromised systems for harvesting and delivering the spam data
- Compromised website for delivering the payload
Just recently, it has been re-discovered by a individual researcher and posted to his blog. What’s interesting about this discovery, is it was located on a server with a Joomla 2.5 installation, which has no known exploits and after checking the logs, no zero-days or exploits were seen.
StealRAT description can be found here.
Obfuscated and de-obfuscated PHP files found on infected server can be found here.