Threat Research

DuplexSpy RAT: Stealthy Windows Malware Enabling Full Remote Control and Surveillance

Cyfirma
DuplexSpy RAT: Stealthy Windows Malware Enabling Full Remote Control and Surveillance

DuplexSpy RAT is a multifunctional remote access trojan with advanced capabilities including surveillance, persistence, and stealth through fileless execution and privilege escalation. Despite being released for educational purposes, its modular design and open-source availability pose significant risks of malicious exploitation. #DuplexSpyRAT #ISSAC #WindowsUpdate

Keypoints

  • DuplexSpy RAT establishes persistence by copying itself to the startup folder and creating registry entries mimicking legitimate Windows processes.
  • It features comprehensive surveillance tools such as keylogging, screen capture, webcam streaming, and audio spying with real-time exfiltration capabilities.
  • The RAT utilizes sophisticated stealth techniques including fileless execution, DLL injection, encrypted communications, and anti-analysis with fake error messages.
  • Privilege escalation is achieved through UAC prompt bypass and process manipulation, aiding persistent and undetected control over infected systems.
  • A GUI builder enables easy customization of malware components, lowering the barrier for less technical threat actors to deploy the RAT.
  • Active anti-forensic measures include terminating security processes, self-deletion after loading in memory, and masking through process and registry manipulation.
  • The malware supports interactive features such as live command shell access, chat communication, mouse control, and fake lock screens to coerce victims.

MITRE Techniques

  • [T1047] Windows Management Instrumentation – Used for system management and executing commands within the victim environment.
  • [T1056] Input Simulation – Implements keylogging and microphone tapping to capture user inputs and audio (β€œβ€¦captures keystrokes and audio buffers…”).
  • [T1056.004] Input Injection (Synthetic Keystrokes) – Intercepts and forwards synthetic keystrokes using hooks.
  • [T1059.003] Command and Scripting Interpreter: Windows Command Shell – Executes remote shell commands on the victim system.
  • [T1106] Native API – Utilizes Windows native APIs for process control and DLL injection.
  • [T1129] Shared Modules – Loads and injects DLLs dynamically for in-memory payload execution.
  • [T1055.001] Dynamic-Link Library Injection – Employs DLL injection techniques to run malicious code stealthily.
  • [T1548.002] Bypass User Account Control – Elevates privileges by triggering UAC prompts programmatically.
  • [T1574.002] DLL Side-Loading – Loads malicious DLLs through legitimate processes to evade detection.
  • [T1027] Obfuscated Files or Information – Uses compilation after delivery and packing to evade static analysis.
  • [T1497] Virtualization/Sandbox Evasion – Detects analysis tools and terminates them, displaying spoofed error messages.
  • [T1562.001] Disable or Modify Tools – Continuously terminates security processes to avoid detection.
  • [T1562.006] Spoof Error Messages – Displays fake corrupted DLL error dialogs to mislead users.
  • [T1564] Hide Artifacts – Loads payloads directly into memory and self-deletes original files to reduce forensic traces.
  • [T1620] Reflective Code Loading – Executes assemblies in memory without touching the disk.
  • [T1010] Application Window Discovery – Identifies active windows to capture context in keylogging.
  • [T1033] System Owner/User Discovery, [T1049] System Network Connections Discovery – Collects system and network information for unique identification and reconnaissance.
  • [T1057] Process Discovery, [T1082] System Information Discovery – Discovers running processes and system data for operational control.
  • [T1083] File and Directory Discovery – Enumerates system files and folders.
  • [T1087] Account Discovery – Gathers account information on the system.
  • [T1120] Peripheral Device Discovery – Checks webcam and monitor devices for surveillance purposes.
  • [T1518.001] Security Software Discovery – Detects and neutralizes antivirus and monitoring software.
  • [T1113] Screen Capture – Takes and sends screenshots of victim’s desktop.
  • [T1123] Audio Capture – Records system audio and microphone input.
  • [T1573.001] Encrypted Channel: Symmetric Cryptography – Uses AES and RSA encryption for secure data transmission.
  • [T1107] File Deletion – Removes malware traces post-execution.
  • [T1490] Inhibit System Recovery / Audio Device Manipulation – Executes commands to disrupt system availability.
  • [T1529] System Shutdown/Reboot – Performs system power control operations remotely.

Indicators of Compromise

  • [File Hashes] Malware executable identifiers – 2c1abd6bc9facae420235e5776b3eeaa3fc79514cf033307f648313362b8b721 (DuplexSpyCS.exe), ab036cc442800d2d71a3baa9f2d6b27e3813b9f740d7c3e7635b84e3e7a8d66a (client.exe)
  • [File Names] Startup persistence files – β€œWindows Update.exe” copied in user Startup folder and AppData Roaming directory
  • [Registry Keys] Persistence entries under HKEYCURRENTUSERSoftwareMicrosoftWindowsCurrentVersionRun named β€œwindows update” pointing to malware executable

Read more: https://www.cyfirma.com/research/duplexspy-rat-stealthy-windows-malware-enabling-full-remote-control-and-surveillance/