FatalRAT Targets Cryptocurrency Users

Cyble CRIL uncovered a phishing campaign that serves a trojanized Exodus installer which uses DLL side-loading to deploy FatalRAT along with in-memory Clipper and Keylogger modules. The chain drops staged files under C:ProgramData (MoCo and Mo), loads shellcode-embedded “image” files to decrypt and execute payloads, and exfiltrates stolen data to attacker-controlled C2 infrastructure. #FatalRAT #Exodus

Keypoints

Phishing site impersonating the Exodus wallet distributes a malicious .msi installer that users are tricked into running.
The installer drops files into C:ProgramDataMoCo and C:ProgramDataMo and launches a legitimate-sounding thelp.exe to start the chain.
Attackers use DLL side-loading (thelp.exe → XLFSIO.dll → mt.dll) to load loader modules and execute shellcode hidden in files named like Mi.jpg, BMi.jpg, and M.jpg.
Shellcode in those “image” files loads embedded DLLs in memory: FatalRAT (RAT), a Clipper (clipboard wallet replacement), and a standalone Keylogger.
Clipper monitors the Windows clipboard, matches BTC/ETH addresses with regexes, and replaces them with attacker-controlled wallet addresses before paste.
Keylogger component uses DLL sideloading (Trys.exe → ty.dll → M.jpg) to capture keystrokes, save them to %programdata%sys.key, and send data to a hardcoded C2 domain.

MITRE Techniques

[T1566] Phishing – Campaign delivers a trojanized Exodus installer via a deceptive website (‘deceptive website meticulously designed to mimic legitimate cryptocurrency applications.’)
[T1204] User Execution – The attack requires victim interaction to run the downloaded installer (‘Once unsuspecting users are lured into downloading the software … they inadvertently install a Remote Access Trojan known as FatalRAT.’)
[T1036.008] Masquerading – Malicious installer and components are disguised as legitimate Exodus application files (‘software disguised as genuine Exodus installers from the phishing site’)
[T1574.002] Hijack Execution Flow: DLL Side-Loading – thelp.exe is used to sideload XLFSIO.dll which loads mt.dll and subsequent loader components (‘thelp.exe utilizes DLL sideloading to load a malicious DLL file named “XLFSIO.dll,” which subsequently loads the loader module named “mt.dll”‘)
[T1115] Clipboard Data – Clipper monitors and modifies clipboard contents using Win32 clipboard APIs to substitute crypto addresses (‘The malware continuously monitors clipboard activity by calling OpenClipboard() … and replaces it with a pre-defined malicious wallet address’)
[T1041] Exfiltration Over C2 Channel – Stolen data (browser data, keystrokes) is transmitted to attacker C2 servers (‘any pilfered information is swiftly transmitted to the designated C&C server’)
[T1657] Financial Theft – Malware replaces legitimate crypto addresses with attacker-controlled addresses to redirect funds (‘If a cryptocurrency address is matched, the malware replaces it with a pre-defined malicious wallet address controlled by the Threat Actor.’)

Indicators of Compromise

[URL] Phishing site – hxxps://exodue[.]com (phishing site impersonating Exodus)
[Domain] C2 / hardcoded domains – 1-27.qq-weixin[.]org (C2 domain), 1-31.qq-weixin[.]org (sibling domain)
[IP] C2 IP – 38[.]181[.]70[.]178 (observed C2 infrastructure)
[SHA256] dropped/installer hashes – f80f8a725028bcc09639f7b1ff9439436d974f0bf92871048092eaec5d7458f0 (malicious installer), 8b0fde6e42ba17b0b475bb8dd54b8554cc6682d81b9e632f8890daa9ceefd48d (Mi.jpg / FatalRAT), and 13 more hashes
[File names] staged filenames used in chain – Mi.jpg (FatalRAT payload), BMi.jpg (Clipper payload), M.jpg (Keylogger payload), thelp.exe, Trys.exe

Trojanized installer execution (.msi) drops a multi-component payload under C:ProgramDataMoCo and C:ProgramDataMo and immediately launches a legitimate-sounding thelp.exe which is abused for DLL side-loading. thelp.exe is configured to load XLFSIO.dll that in turn loads mt.dll; mt.dll launches two files named like Mi.JPG and BMi.jpg that are not images but contain shellcode plus embedded DLL blobs. The shellcode invokes an exported function (SignalChromeElf) to decrypt, map, and execute the embedded DLL entirely in memory, deploying FatalRAT as the main RAT payload.

The same loader pattern is used for the Clipper and Keylogger: BMi.jpg’s shellcode calls DllEntryPoint() to run an in-memory Clipper DLL which hooks Windows Clipboard APIs (OpenClipboard, GetClipboardData, SetClipboardData). The Clipper applies targeted regexes (e.g., BTC: ^(1|3|bc1|tb1)[a-zA-Z0-9]{25,61}$, ETH: ^0x[a-fA-F0-9]{40}$) to detect copied wallet addresses and replace them with attacker-controlled addresses, causing pasted transaction fields to contain the attacker’s wallet.

Separately, Trys.exe uses DLL sideloading to load ty.dll which executes M.jpg shellcode to deploy a standalone Keylogger module in memory. The keylogger performs anti-VM checks, captures keystrokes and system events, persists captured data to %programdata%sys.key, and decodes a reversed hardcoded domain at runtime (e.g., 1-27.qq-weixin[.]org) to transmit exfiltrated data to C2 (observed IP 38.181.70.178). The chain intentionally displays the legitimate Exodus installer in the foreground as a diversion while malicious components run hidden in memory.