Moonrise is a previously undetected Go-based remote access trojan that establishes WebSocket C2 and full interactive control of an endpoint before static detections trigger. Detection requires behavior-based analysis and faster SOC workflows to catch credential theft, remote command execution, persistence, and user-monitoring activity early. #Moonrise #ANY.RUN
Keypoints
- Moonrise is a Go-based RAT that evaded static detection at the time of analysis and established active C2 before vendor alerts appeared.
- The malware provides a broad command set including credential theft, clipboard and keylogging, screen/webcam/microphone capture, file upload/download/execute, and remote command/process control.
- Initial C2 uses a WebSocket-like session with client_hello, connected, and ping/pong messages to maintain persistent operator connectivity.
- Operator-visible behaviors include process_list, file_list, screenshot attempts, process_kill, file_upload/file_run, and explorer_restart, enabling escalation from reconnaissance to full control.
- Privilege and persistence capabilities (uac_bypass, rootkit_enable/disable, watchdog and protection configs) increase dwell time and complicate removal.
- ANY.RUN recommends a 3-step detection loopâmonitoring for new infrastructure, rapid enrichment plus sandbox execution for behavioral confirmation, and threat hunting from confirmed indicatorsâto reduce exposure.
MITRE Techniques
- [T1071 ] Application Layer Protocol â Moonrise maintains C2 over WebSocket-like messaging (âclient_hello connected ping/pongâ).
- [T1059 ] Command and Scripting Interpreter â The RAT executes remote commands and spawns shells (e.g., âsvchost.exe spawning cmd.exe to execute system commandsâ).
- [T1105 ] Ingress Tool Transfer â Operator-driven file_upload and file_download allow additional payloads to be transferred to the host (âfile_upload file_downloadâ).
- [T1057 ] Process Discovery â The malware enumerates running processes using âprocess_listâ to survey the environment (âprocess_listâ).
- [T1083 ] File and Directory Discovery â Moonrise inspects file structures with âfile_listâ to find accessible data (âfile_listâ).
- [T1056 ] Input Capture â Keylogging and clipboard monitoring are used to capture credentials and sensitive data (âkeylogger_start keylogger_logs clipboard_historyâ).
- [T1113 ] Screen Capture â The RAT attempts screenshots and can stream screen content for operator surveillance (âscreenshot screen_stream_start screen_stream_stopâ).
- [T1123 ] Audio Capture â Microphone recording capability enables audio capture of user activity (âmicrophone_recordâ).
- [T1041 ] Exfiltration Over C2 Channel â Collected data (files, keylogger logs, clipboard contents) can be transferred via the established C2 channel (âfile_download keylogger_logs clipboard_historyâ).
- [T1547 ] Boot or Logon Autostart Execution â Presence of persistence-related commands suggests support for maintaining execution across reboots (âpersistence and privilege-related functions increase dwell timeâ).
- [T1548 ] Abuse Elevation Control Mechanism â The sample includes uac_bypass and other privilege-manipulation commands indicating UAC or elevation abuse capabilities (âuac_bypass rootkit_enable rootkit_disableâ).
- [T1497 ] Defacement or Disruption (User Interface) â User-facing commands (fun_message, fun_wallpaper, fun_bsod, fun_restart, fun_shutdown) allow visible disruption or coercion of user experience (âfun_message fun_wallpaper fun_bsodâ).
Indicators of Compromise
- [IP Address ] C2 infrastructure observed â 193[.]23[.]199[.]88
- [File Hashes ] Malware sample hashes observed â c7fd265b23b2255729eed688a211f8c3bd2192834c00e4959d1f17a0b697cd5e, 8a422b8c4c6f9a183848f8d3d95ace69abb870549b593c080946eaed9e5457ad, and 5 other hashes
- [File Names ] Process/file names observed in behavior â svchost.exe (spawned), cmd.exe (spawned)
Read more: https://any.run/cybersecurity-blog/cybersecurity-blog/moonrise-rat-detected/