CyFirma examines Silver RAT, a Windows-based tool built to bypass AV, log keystrokes, encrypt data, destroy restore points, and run hidden processes. It traces the developer ecosystem around Anonymous Arabic, including Telegram channels and underground forums, and notes plans for Android payloads in future versions. #SilverRAT #S500RAT #AnonymousArabic #TurkhackTeam #Damascus #SyrianRoots
Keypoints
- Silver RAT v1.0 (C# Windows RAT) includes AV bypass, keylogger, UAC bypass, data encryption, and the ability to erase system restore points.
- The project is expanding toward cross-platform potential, with S500 RAT and announcements of future Windows and Android payloads.
- The developer/actor behind Silver RAT operates across forums and Telegram, distributing cracked RATs, leaked data, and social-media bots; activity includes posts on XSS, Darkforum, TurkHackTeam, and more.
- The Silver RAT builder offers configurable options (payload up to ~50 KB, reverse-connect or web-based C2, AV evasion via FUD crypters, hidden processes) and delivers a Windows executable via social engineering.
- Admin control features include hidden apps/browsers/VNC, registry edits, startup checks, data exfiltration, browser cookie theft, data encryption, and even worm-like USB propagation.
- Underground threat landscape links Silver RAT to a Syrian-origin network (Anonymous Arabic) with affiliations to Telegram channels and a public-facing web presence; wallets and PayPal activity suggest monetization and laundering channels.
MITRE Techniques
- [T1059] Command and Scripting Interpreter – Used to execute a payload via an administrated permission prompt and a CMD window that disappears in less than 2 seconds. ‘an administrated permission prompt will appear, and it will run a CMD window that disappears in less than 2 seconds.’
- [T1053] Scheduled Task/Job – The builder includes a mechanism that can delay payload execution, aligning with persistence via scheduled tasks. ‘This option can be configured to delay the execution of the payload.’
- [T1053] Scheduled Task/Job – The threat actor can schedule tasks to maintain persistence. ‘Scheduled Task/Job’ (as listed in the MITRE mapping).
- [T1055] Process Injection – The RAT hides or injects into processes to evade detection. ‘Hidden process and hidden installation, i.e. the capability to hide a process within the task manager.’
- [T1112] Modify Registry – The attacker can modify registry keys to influence system behavior. ‘modify registry keys’.
- [T1497] Virtualization/Sandbox Evasion – The builder includes anti-analysis protections to bypass sandbox environments. ‘Virtualization/Sandbox Evasion’.
- [T1027] Obfuscated Files or Information – The use of FUD crypters for antivirus evasion. ‘Bypassing Antivirus using FUD Crypters.’
- [T1056] Input Capture – The RAT captures user input via a keylogger. ‘keylogger’ (as part of the capabilities described).
- [T1539] Steal Web Cookie – The RAT can steal browser cookies. ‘Steal Web Cookie’.
- [T1552] Unsecured Credentials – The RAT targets credentials stored on the system. ‘Unsecured Credentials’.
- [T1528] Steal Application Access Token – The RAT can obtain tokens used by applications. ‘Steal Application Access Token’.
- [T1057] Process Discovery – The attacker can discover running processes on the victim. ‘Process Discovery’.
- [T1083] File and Directory Discovery – The RAT interacts with the file system to locate data. ‘File and Directory Discovery’.
- [T1082] System Information Discovery – The RAT gathers system information to tailor actions. ‘System Information Discovery’.
- [T1041] Exfiltration over C2 Channel – Data is exfiltrated over the command-and-control channel. ‘Exfiltration over C2 Channel’.
- [T1567] Exfiltration over Web Service – Data exfiltration via web services. ‘Exfiltration over Web Service’.
Indicators of Compromise
- [SHA256] Silver RAT v1.0 Builder – 79a4605d24d32f992d8d144202e980bb6b52bf8c9925b1498a1da59e50ac51f9, a9fa8e14080792b67a12f682a336c0ea9ff463bbcb27955644c6fcaf80023641, and other hashes
- [SHA256] Silver RAT Payload – 7a9aeea5e65a0966894710c1d9191ba4cbd6415cba5b10b3b75091237a70a5b8, 0ace7ae35b7b44a3ec64667983ff9106df688c24b52f8fcb25729c70a00cc319, and 2 more hashes