The latest Neptune RAT variant poses a significant threat, utilizing PowerShell commands to deliver and execute malicious payloads via an obfuscated script. It features advanced techniques for persistence and anti-analysis, enabling it to steal credentials, perform live monitoring, and execute ransomware capabilities. The report discusses its distribution methods across platforms like GitHub and highlights the dangers it poses to users. Affected: Windows users, organizations, individuals
Keypoints :
- Neptune RAT is shared on GitHub with advanced PowerShell commands.
- Malware employs encoding and obfuscation to evade detection.
- Utilization of APIs like catbox.moe for hosting malicious files.
- Features include a crypto clipper, password grabber, and ransomware.
- Persistence achieved through registry modifications and scheduled tasks.
- Advanced capabilities for live desktop monitoring and antivirus disabling.
- Developer claims educational use, but the software is primarily a threat.
MITRE Techniques :
- Initial Access (TA0001): (T1566) Phishing – Spear phishing Link.
- Execution (TA0002): (T1059.001) Command and Scripting Interpreter – PowerShell.
- Persistence (TA0004): (T1547.001) Registry Run Keys / Startup Folder.
- Privilege Escalation (TA0004): (T1548.002) Bypass User Account Control.
- Defense Evasion (TA0005): (T1027) Obfuscated Files or Information.
- Credential Access (TA0006): (T1555.003) Credentials from Web Browsers.
- Discovery (TA0007): (T1087) Account Discovery.
- Collection (TA0009): (T1123) Audio Capture; (T1005) Data from Local System.
- Command and Control (TA0011): (T1572) Protocol Tunneling.
- Exfiltration (TA0010): (T1041) Exfiltration Over C2 Channel.
- Impact (TA0040): (T1485) Data Destruction.
Indicator of Compromise :
- [MD5] a28c717c899abe4f93dadfa40a1ec157
- [SHA-256] 8df1065d03a97cc214e2d78cf9264a73e00012b972f4b35a85c090855d71c3a5
- [EXE] NeptuneRat.exe
- [BAT] px5r4x.bat
- [DLL] Ransomware.dll
Views: 35