Threat Research

ApolloRat: Evasive Malware Compiled Using Nuitka – Cyble

Securonix

Keypoints

  • ApolloRAT is a Python-based RAT that uses Discord as its Command-and-Control (C2) server.
  • Threat actors are marketing and selling ApolloRAT for about $15 on Telegram and their site.
  • Researchers observed the payload being compiled with Nuitka to create a standalone executable and hinder reverse engineering.
  • The RAT provides a broad set of capabilities, including VM detection, AV/firewall disabling, system commands, password collection, screenshot capture, and file transfer.
  • The toolkit includes “prank” and evasive features (e.g., speak, bluescreen, rickroll, fake PDF) to complicate analysis or mislead victims.
  • Functionality centers on Discord-based C2 communication, with commands such as >detectVM, >ip, >screenshot, >passwords, >startup, and >SELFDESTRUCT.
  • Defensive recommendations focus on avoiding pirated software, strong authentication, updated passwords, anti-malware protection, and monitoring beacon/data exfiltration.

MITRE Techniques

  • [T1071.001] Web Protocols – Use of Discord as C2 server for command-and-control communication. Quote: ‘The RAT uses Discord as its Command and Control (C&C) Server.’
  • [T1027] Obfuscated/Compressed Files and Information – Compiling Python with Nuitka to produce a standalone executable, increasing size and hindering analysis. Quote: ‘Nuitka… has the edge over them in terms of the compiled file size created and complexity to reverse engineer.’
  • [T1562.001] Impair Defenses – Disable antivirus and firewall functions (AV disable, Firewall disable, etc.). Quote: ‘AV disable… Firewall disable’
  • [T1497] Virtualization/Sandbox Evasion – VM detection to determine if running in a virtual environment. Quote: ‘The >detectVM command can be used to check if the RAT is executing in a virtual environment.’
  • [T1547.001] Boot or Logon Autostart Execution – Persistence by adding RAT to startup. Quote: ‘>startup = Add RAT to startup’
  • [T1059] Command and Scripting Interpreter – Execution of shell commands via >shell, e.g., >shell start chrome.exe. Quote: ‘>shell = Execute shell command e.g: >shell start chrome.exe’
  • [T1113] Screen Capture – Takes a screenshot via the ‘screenshot’ command. Quote: ‘screenshot = Takes a screenshot’
  • [T1555.003] Credentials from Password Stores – Accessing passwords stored in browsers. Quote: ‘passwords = Get user’s saved passwords’
  • [T1016] System Network Configuration Discovery – Discovering the victim’s IP with the >ip command. Quote: ‘>ip’ command, TAs can identify their victim’s IP addresses.
  • [T1105] Ingress Tool Transfer – Transfer files to/from the victim (upload). Quote: ‘>upload = Upload file to victim’s e.g: >upload filename.exe <WITH ATTACHMENT>’
  • [T1070.004] Indicator Removal on Host – Self-destruct capabilities to erase traces. Quote: ‘SELFDESTRUCT = selfdestructs, deletes everything associeted’

Indicators of Compromise

  • [MD5] Malicious Binary – 1db4f566417ef2dec8218ee0b0fbf682, f3e758da9d01cd0dfb433478e5eba178
  • [SHA-1] Malicious Binary – 069eece6f2209672aef8600f15df4bd7ce216a67, a9751413af2ec02b01359c9722d782b5c3af31d3
  • [SHA-256] Malicious Binary – e3b6e58f1427d380648f914d32cb69360d93de33c59e01d8f0fa448113e7679, 0a508f7722b0df4c8291a7cf0469ca7917ea284bfa8a2e84a3550a85d0628320

Read more: https://blog.cyble.com/2022/07/14/apollorat-evasive-malware-compiled-using-nuitka/