Threat Research

GodRAT Malware

Securonix
GodRAT Malware

GodRAT is a Gh0st RAT–derived remote access trojan targeting financial institutions via malicious .scr and .pif files distributed over Skype, using steganography to hide shellcode in images and leveraging plugins like FileManager for credential theft and file-system manipulation. Secondary implants and tools observed include AsyncRAT and browser password stealers; activity affected Hong Kong, UAE, Lebanon, Malaysia, and Jordan. #GodRAT #AsyncRAT

Keypoints

  • GodRAT is a RAT derived from the Gh0st RAT codebase and delivered as malicious .scr and .pif files disguised as financial documents via Skype.
  • The malware uses steganography to hide shellcode in image files, helping it evade detection and bypass conventional defenses.
  • Infection chains include XOR-decoding or image-extraction loaders that retrieve configuration data and connect to a C2 server to download a UPX-packed GodRAT DLL.
  • GodRAT supports plugin injection, file/system manipulation via a powerful FileManager plugin, and exfiltration of system and antivirus information (zlib-compressed and XOR-encoded).
  • Attackers deploy AsyncRAT as a secondary implant and use browser password stealers for credential theft; AsyncRAT patches AMSI and ETW to maintain persistence.
  • Code similarities and the “-Puppet” injection parameter link GodRAT to AwesomePuppet and Gh0st RAT, suggesting re-use of legacy code and possible ties to the Winnti China-nexus actor.
  • Regions impacted include Hong Kong, United Arab Emirates, Lebanon, Malaysia, and Jordan, with samples and detections reported through PolySwarm.

MITRE Techniques

  • [T1204] User Execution – Malicious .scr and .pif files masqueraded as financial documents and were distributed via Skype to trick users into running them. [‘malicious .scr and .pif files masquerading as financial documents’]
  • [T1071] Application Layer Protocol – The implant connects to a Command-and-Control server, transmitting “GETGOD” and downloading a second-stage shellcode and DLL. [‘transmitting “GETGOD” to download a second-stage shellcode containing a UPX-packed GodRAT DLL’]
  • [T1055] Process Injection – The UPX-packed GodRAT DLL executes via exported “run” and can inject into processes like curl.exe, cmd.exe, or svchost.exe using parameters such as “-Puppet”. [‘execute via the exported “run” function… inject itself into processes like curl.exe or cmd.exe using the “-Puppet” parameter’]
  • [T1005] Data from Local System – The RAT collects OS details, hostname, process information, and antivirus presence, then compresses and encodes this data for exfiltration. [‘collecting victim data, such as OS details, hostname, process information, and antivirus presence, which is zlib-compressed, XOR-encoded, and sent to the C2 server’]
  • [T1113] Screen Capture / [T1115] Clipboard Data – (FileManager activity enabling file operations and hidden 7zip usage indicates extensive local data collection capabilities, including file reads and execution.) [‘FileManager plugin… enabling attackers to list files, read/write data, delete files, create directories, and execute commands via a hidden 7zip utility’]
  • [T1566] Phishing – Distribution via Skype messenger leveraged trust in the communication platform to deliver malicious attachments to targets. [‘distributed via Skype messenger, exploiting the platform’s trust to deliver payloads’]
  • [T1027] Obfuscated Files or Information – Steganography was used to hide shellcode in image files and XOR/zlib encoding was used for configuration and exfiltrated data. [‘steganography to conceal shellcode within image files’ ; ‘XOR-decodes embedded shellcode’ ; ‘zlib-compressed, XOR-encoded’]
  • [T1543] Create or Modify System Process – The builder supports injection into legitimate processes for persistence and stealth. [‘builder allows customization of payloads, supporting executable injection into legitimate processes like svchost.exe or curl.exe’]

Indicators of Compromise

  • [File Hash ] GodRAT sample hashes – E26efc253a47bf311abff125f53f860c0cabaa58592b3407de1380a6d3170265, 48d0d162bd408f32f8909d08b8e60a21b49db02380a13d366802d22d4250c4e7 (and 1 more hash)
  • [File Hash ] AsyncRAT sample hash – Ed1dfd2e913e1c53d9f9ab5b418f84e0f401abfdf8e3349e1fcfc98663dcb23f
  • [File Name / Type ] Malicious lure files – .scr and .pif files masquerading as financial documents delivered via Skype
  • [Tool / Plugin Names ] Malicious components observed – FileManager plugin, UPX-packed GodRAT DLL, hidden 7zip utility used for file operations

Read more: https://blog.polyswarm.io/godrat

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint