EdskManager RAT: Multi-Stage Malware with HVNC and Evasion Capabilities

MITRE Techniques

• [T1566] Phishing – Implied as initial access vector through deceptive downloader disguised as legitimate software.
• [T1189] Drive-by Compromise – Suggested as a method for delivering the initial downloader.
• [T1204] User Execution – The downloader relies on user interaction to execute the initial payload.
• [T1547.001] Registry Run Keys/Startup Folder – Persistence via autorun registry entries for malware execution at startup.
• [T1053.005] Scheduled Task – Persistence ensured by creating scheduled tasks that execute malware components.
• [T1622] Debugger Evasion – Use of anti-debugging techniques to avoid analysis (“…anti-analysis… memory-to-memory operations…”).
• [T1140] Deobfuscate/Decode Files or Information – Decrypts encrypted .edskv file contents in memory to obtain configurations.
• [T1564.003] Hidden Window – Creates multiple hidden windows to support stealth and remote control (HVNC functionality).
• [T1027.013] Encrypted/Encoded File – Uses encrypted .edskv files for storing configuration and critical data.
• [T1497] Virtualization/Sandbox Evasion – Uses memory obfuscation and runtime tactics to hinder sandbox detection.
• [T1082] System Information Discovery – Gathers detailed information about the host environment and installed software.
• [T1087.001] Local Account Discovery – Collects user and group information from the infected system.
• [T1010] Application Window Discovery – Detects and enumerates browser extensions and application windows.
• [T1217] Browser Information Discovery – Enumerates installed browser extensions on Chrome, Brave, and Edge.
• [T1007] System Service Discovery – Collects data related to system services to assist reconnaissance.
• [T1124] System Time Discovery – Likely used to maintain timing and avoid detection during execution.
• [T1673] Virtual Machine Discovery – Attempts to detect virtual environments for evasion.
• [T1115] Clipboard Data – Capability to monitor and capture clipboard contents.
• [T1005] Data from Local System – Collects local system data for exfiltration.
• [T1056] Input Capture – Includes keylogging functionality to capture user inputs silently.
• [T1113] Screen Capture – Ability to capture screenshots of the victim’s desktop.
• [T1041] Exfiltration Over C2 Channel – Data exfiltration is done via encrypted communication with C2 servers.
• [T1001] Data Obfuscation – Uses compression and encryption to obscure communication content sent to C2.