The RAT race: What happens when RATs go undetected

SUMMARY :

This analysis explores a sophisticated cyberattack attempt involving multiple Remote Access Tools (RATs) and a stealer. The attack chain begins with an email containing an exploit for CVE-2024-38213, bypassing Windows' Mark of the Web security feature. The malware uses WebDav directories and Cloudflare's free tunnel service to host and execute various RATs, including DcRAT, AsyncRAT, and XWorm, as well as the PureLog Stealer. The payloads are delivered through obfuscated batch files and compiled Python scripts, using memory-only execution techniques to evade detection. The attackers employ multiple C2 domains using the DuckDNS service, pointing to IP addresses in the U.S. The analysis highlights the importance of early threat detection in preventing potential ransomware deployment or data exfiltration.

OPENCTI LABELS :

rat,dcrat,xworm,cve-2024-38213,purelog stealer


Open in NetmanageIT OpenCTI Public Instance with below link!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


The RAT race: What happens when RATs go undetected