Tracking an evolving Discord-based RAT family

SUMMARY :

ReversingLabs has identified four new remote access trojans (RATs) utilizing Discord for command and control. These RATs, operated by the STD Group, include Minecraft RAT, UwUdisRAT, STD RAT, and Propionanilide RAT. The malware, written in C++, uses a ROT23 cipher to encode Discord bot tokens for C2 communication. The analysis reveals the evolution from single payloads to experimentation with packers, particularly in the case of Propionanilide RAT. The report provides detailed insights into each RAT variant, including file indicators and YARA rules for detection.

OPENCTI LABELS :

discord,propionanilide rat,propionanilide,minecraft rat,std rat,uwudisrat


AI COMMENTARY :

1. Introduction The cybersecurity landscape continually evolves as threat actors adopt innovative methods to deliver malware and maintain persistence. ReversingLabs has uncovered a sophisticated family of remote access trojans (RATs) leveraging the Discord platform for command and control. This discovery, titled "Tracking an evolving Discord-based RAT family," highlights the work of the STD Group and the emergence of four new RAT variants that exploit Discord’s API to remain undetected. In this article, we explore how these malware strains operate, their evolution over time, and the defensive measures security teams can implement to detect and block them.

2. Meet the STD Group’s Discord-based RAT Arsenal The STD Group has developed four distinct RATs named Minecraft RAT, UwUdisRAT, STD RAT, and Propionanilide RAT. Each variant connects to Discord servers by embedding bot tokens within its code. Minecraft RAT masquerades as a gaming utility to lure victims, while UwUdisRAT employs playful naming conventions to evade cursory scrutiny. STD RAT serves as the group’s original payload, and Propionanilide RAT represents the latest innovation, showcasing advanced packing techniques. Together, these tools form a versatile toolkit that attackers can deploy across multiple targets, relying on Discord channels as hidden C2 infrastructure.

3. Under the Hood: C++ Implementation and ROT23 Cipher All four RATs are written in C++, a choice that provides low-level access to operating system resources and efficient performance. To conceal Discord bot tokens used for remote commands, the malware authors implemented a ROT23 cipher, shifting each character by 23 positions in the alphabet. This lightweight obfuscation prevents static scanners from easily extracting credentials. During execution, the RAT decodes the token, establishes a WebSocket connection to a designated Discord server, and awaits encrypted instructions that can range from executing shell commands to exfiltrating sensitive files.

4. Propionanilide RAT’s Evolution and Experimentation with Packers Among the four variants, Propionanilide RAT stands out for its experimental use of packers. Early builds were delivered as single, unpacked executables, but subsequent versions incorporated custom packing routines to thwart signature-based detection and slow reverse engineering. The packing process encrypts large sections of code and data, which are then decrypted in memory at runtime. This evolution underscores the STD Group’s commitment to refining their tactics and highlights the need for behavioral analysis tools that can inspect memory rather than rely solely on static file attributes.

5. Indicators of Compromise and YARA Rules for Detection ReversingLabs’ report provides extensive file indicators, including hashes for each RAT variant and network patterns associated with Discord API endpoints. Security teams can leverage these artifacts to hunt for malicious executables in their environments. Additionally, the researchers have published YARA rules that match C++ imports typical of these RATs, the ROT23 decoding routine, and specific strings related to Discord bot interaction. By integrating these rules into endpoint detection platforms, defenders can automate alerts when a suspected RAT attempts to decode tokens or establish unauthorized WebSocket connections.

6. Conclusion The discovery of this Discord-based RAT family illustrates the resourcefulness of modern threat actors and the value of threat intelligence sharing. The STD Group’s use of C++ implementation, ROT23 ciphering, and advanced packing in Propionanilide RAT demonstrates multiple layers of evasion. By understanding these techniques and applying the file indicators and YARA rules outlined in the report, security practitioners can bolster their defenses and respond proactively to emerging threats on platforms like Discord. Continuous monitoring, combined with proactive threat hunting, remains essential to staying ahead of adversaries who exploit legitimate communication channels for malicious ends.


OPEN NETMANAGEIT OPENCTI REPORT LINK!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


Tracking an evolving Discord-based RAT family