Insikt Group identified a new Delphi-based variant of the DRAT remote access trojan, named DRAT V2, used by the TAG-140 threat actor targeting Indian government organizations. This variant introduces enhanced command execution capabilities and updated C2 obfuscation techniques, reflecting TAG-140’s evolving tradecraft in espionage campaigns. #DRATV2 #TAG140 #BroaderAspect
Keypoints
- TAG-140 deployed DRAT V2, a Delphi-compiled RAT variant, improving its remote access and post-exploitation capabilities compared to the previous .NET-based DRAT.
- DRAT V2 supports arbitrary shell command execution, enhanced file system interaction, and updated Base64 obfuscation with prepended strings for C2 IP addresses.
- Initial access was achieved using a ClickFix-style social engineering lure via a cloned Indian Ministry of Defence press release portal hosting malicious scripts.
- The infection chain involves executing a remote script through mshta.exe that drops the BroaderAspect loader, establishing persistence and installing DRAT V2.
- TAG-140 uses a variety of RATs including CurlBack, SparkRAT, AresRAT, Xeno RAT, AllaKore, ReverseRAT, and both DRAT variants, indicating a pattern of rotating malware use.
- DRAT V2 communicates using a custom TCP, server-initiated protocol with commands in both ASCII and Unicode; it lacks advanced anti-analysis mechanisms, making detection feasible through static and behavioral analysis.
- Detection and mitigation strategies include monitoring for specific registry run keys, unusual outbound TCP connections on uncommon ports, and use of custom YARA and Snort rules targeting DRAT and BroaderAspect.
MITRE Techniques
- [T1204] User Execution – Initial access was obtained through social engineering prompting users to execute malicious scripts via mshta.exe (‘ClickFix-style social engineering lure’).
- [T1053] Scheduled Task/Job – Persistence established through a registry run key added by a batch file to auto-start DRAT V2 (‘Registry modification HKCUSOFTWAREMicrosoftWindowsCurrentVersionRun’).
- [T1105] Ingress Tool Transfer – DRAT V2 payload downloaded and decompressed from TAG-140 controlled infrastructure (‘Downloads and decompresses the DRAT V2 payload’).
- [T1071] Application Layer Protocol – DRAT V2 uses a custom TCP server-initiated command and control protocol for communication (‘Custom server-initiated TCP protocol’).
- [T1059] Command and Scripting Interpreter – DRAT V2 executes arbitrary shell commands on infection hosts (‘exec_this_comm command for arbitrary shell command execution’).
- [T1041] Exfiltration Over C2 Channel – DRAT V2 supports file upload and download commands enabling data exfiltration and additional payload delivery (‘file_upl and fil_down_confirmina commands’).
Indicators of Compromise
- [File Hash] DRAT V2 samples – ce98542131598b7af5d8aa546efe8c33a9762fb70bff4574227ecaed7fff8802, 0d68012308ea41c6327eeb73eea33f4fb657c4ee051e0d40a3ef9fc8992ed316, and 2 more hashes.
- [File Hash] Original DRAT samples – 830cd96aba6c328b1421bf64caa2b64f9e24d72c7118ff99d7ccac296e1bf13d, c328cec5d6062f200998b7680fab4ac311eafaf805ca43c487cda43498479e60.
- [Domain] Malicious infrastructure used in campaign – email[.]gov[.]in[.]drdosurvey[.]info (cloned Ministry of Defence portal), trade4wealth[.]in (hosting malware payloads and scripts).
- [IP Address and Port] DRAT V2 C2 servers – 185[.]117[.]90[.]212:7771, 154[.]38[.]175[.]83:3232, 178[.]18[.]248[.]36:6372.
- [IP Address and Port] Original DRAT C2 – 38[.]242[.]149[.]89:61101.
Read more: https://www.recordedfuture.com/research/drat-v2-updated-drat-emerges-tag-140s-arsenal