DuplexSpy RAT is a multifunctional remote access trojan with advanced capabilities including surveillance, persistence, and stealth through fileless execution and privilege escalation. Despite being released for educational purposes, its modular design and open-source availability pose significant risks of malicious exploitation. #DuplexSpyRAT #ISSAC #WindowsUpdate
Keypoints
- DuplexSpy RAT establishes persistence by copying itself to the startup folder and creating registry entries mimicking legitimate Windows processes.
- It features comprehensive surveillance tools such as keylogging, screen capture, webcam streaming, and audio spying with real-time exfiltration capabilities.
- The RAT utilizes sophisticated stealth techniques including fileless execution, DLL injection, encrypted communications, and anti-analysis with fake error messages.
- Privilege escalation is achieved through UAC prompt bypass and process manipulation, aiding persistent and undetected control over infected systems.
- A GUI builder enables easy customization of malware components, lowering the barrier for less technical threat actors to deploy the RAT.
- Active anti-forensic measures include terminating security processes, self-deletion after loading in memory, and masking through process and registry manipulation.
- The malware supports interactive features such as live command shell access, chat communication, mouse control, and fake lock screens to coerce victims.
MITRE Techniques
- [T1047] Windows Management Instrumentation β Used for system management and executing commands within the victim environment.
- [T1056] Input Simulation β Implements keylogging and microphone tapping to capture user inputs and audio (ββ¦captures keystrokes and audio buffersβ¦β).
- [T1056.004] Input Injection (Synthetic Keystrokes) β Intercepts and forwards synthetic keystrokes using hooks.
- [T1059.003] Command and Scripting Interpreter: Windows Command Shell β Executes remote shell commands on the victim system.
- [T1106] Native API β Utilizes Windows native APIs for process control and DLL injection.
- [T1129] Shared Modules β Loads and injects DLLs dynamically for in-memory payload execution.
- [T1055.001] Dynamic-Link Library Injection β Employs DLL injection techniques to run malicious code stealthily.
- [T1548.002] Bypass User Account Control β Elevates privileges by triggering UAC prompts programmatically.
- [T1574.002] DLL Side-Loading β Loads malicious DLLs through legitimate processes to evade detection.
- [T1027] Obfuscated Files or Information β Uses compilation after delivery and packing to evade static analysis.
- [T1497] Virtualization/Sandbox Evasion β Detects analysis tools and terminates them, displaying spoofed error messages.
- [T1562.001] Disable or Modify Tools β Continuously terminates security processes to avoid detection.
- [T1562.006] Spoof Error Messages β Displays fake corrupted DLL error dialogs to mislead users.
- [T1564] Hide Artifacts β Loads payloads directly into memory and self-deletes original files to reduce forensic traces.
- [T1620] Reflective Code Loading β Executes assemblies in memory without touching the disk.
- [T1010] Application Window Discovery β Identifies active windows to capture context in keylogging.
- [T1033] System Owner/User Discovery, [T1049] System Network Connections Discovery β Collects system and network information for unique identification and reconnaissance.
- [T1057] Process Discovery, [T1082] System Information Discovery β Discovers running processes and system data for operational control.
- [T1083] File and Directory Discovery β Enumerates system files and folders.
- [T1087] Account Discovery β Gathers account information on the system.
- [T1120] Peripheral Device Discovery β Checks webcam and monitor devices for surveillance purposes.
- [T1518.001] Security Software Discovery β Detects and neutralizes antivirus and monitoring software.
- [T1113] Screen Capture β Takes and sends screenshots of victimβs desktop.
- [T1123] Audio Capture β Records system audio and microphone input.
- [T1573.001] Encrypted Channel: Symmetric Cryptography β Uses AES and RSA encryption for secure data transmission.
- [T1107] File Deletion β Removes malware traces post-execution.
- [T1490] Inhibit System Recovery / Audio Device Manipulation β Executes commands to disrupt system availability.
- [T1529] System Shutdown/Reboot β Performs system power control operations remotely.
Indicators of Compromise
- [File Hashes] Malware executable identifiers β 2c1abd6bc9facae420235e5776b3eeaa3fc79514cf033307f648313362b8b721 (DuplexSpyCS.exe), ab036cc442800d2d71a3baa9f2d6b27e3813b9f740d7c3e7635b84e3e7a8d66a (client.exe)
- [File Names] Startup persistence files β βWindows Update.exeβ copied in user Startup folder and AppData Roaming directory
- [Registry Keys] Persistence entries under HKEYCURRENTUSERSoftwareMicrosoftWindowsCurrentVersionRun named βwindows updateβ pointing to malware executable