StealRAT was more of a botnet that piggybacked onto many breached WordPress sites back in July of 2013. StealRAT is an advancement in mass-mailing or spamming. As new spam detection is released and put into place, spammers must find ways to circumvent these new technologies.
TrendMicro is one of the first companies to discover this piece of malware, the methods of the malware consist of 3 main things, as stated in their blog post:
- Compromised website for sending spam
- Compromised systems for harvesting and delivering the spam data
- Compromised website for delivering the payload
Just recently, it has been re-discovered by an individual researcher and posted to his blog. What’s interesting about this discovery, is it was located on a server with a Joomla 2.5 installation, which has no known exploits and after checking the logs, no zero-days or exploits were seen.
StealRAT description can be found here.
Obfuscated and de-obfuscated PHP files found on the infected server can be found here.