QuimaRAT is a new Java-based RAT sold on the dark web as a subscription MaaS platform that targets Windows, Linux, and macOS with modular features and OS-specific capabilities. The sample uses encrypted configuration, single-instance checks, virtualization and analysis detection, persistence, and resilient C2 handshakes, while advertising 70+ modules, AES-256 encryption, and FUD claims. #QuimaRAT #MaaS #ApacheMaven #JNA
Keypoints
- QuimaRAT is a novel Java-based RAT designed to target Windows, Linux, and macOS environments.
- The malware is sold on a dark web forum as “QuimaRAT v2.0” and marketed as a subscription-based malware-as-a-service platform.
- The seller advertises more than 70 modules, AES-256 encryption, FUD claims, and a GUI panel.
- The analyzed sample is built as a modular Java project using Apache Maven and includes multiple embedded JNA native libraries for different operating systems and architectures.
- QuimaRAT loads an embedded encrypted config.dat file and decrypts it with a repeating-key XOR routine.
- The RAT enforces single-instance execution using a .lock file and Java FileLock, and it also performs virtualization and analysis environment checks.
- It implements OS-specific persistence and uses HANDSHAKE and HEARTBEAT commands to maintain resilient C2 communications.
MITRE Techniques
- [T1547 ] Boot or Logon Autostart Execution – QuimaRAT installs OS-specific persistence mechanisms to remain active after reboot or login (‘it also installs OS-specific persistence mechanisms’).
- [T1497 ] Virtualization/Sandbox Evasion – The RAT checks for virtualization and analysis environments before execution to avoid analysis (‘It also performs OS-specific virtualization and analysis environment checks prior to execution’).
- [T1132 ] Data Encoding – The internal config.dat file is encrypted and then decrypted with a repeating-key XOR routine (‘This is then decrypted using a repeating-key XOR routine’).
- [T1587 ] Develop Capabilities – The actor can likely expand functionality via runtime modules, uploaded binaries, or fileless payloads (‘the actor can likely expand functionality through runtime modules, uploaded binaries, or fileless payloads’).
- [T1573 ] Encrypted Channel – QuimaRAT uses encrypted communications and advertises AES-256 encryption (‘AES-256 encryption’; ‘To keep C2 communications resilient’).
- [T1071 ] Application Layer Protocol – The RAT maintains C2 communication through protocol commands such as HANDSHAKE and HEARTBEAT (‘QuimaRAT performs the HANDSHAKE and HEARTBEAT commands’).
- [T1027 ] Obfuscated Files or Information – The embedded config.dat is stored encrypted inside the JAR archive to hinder analysis (‘loads an encrypted internal config.dat file embedded within the JAR archive’).
- [T1546 ] Event Triggered Execution – The sample uses Java FileLock and a .lock file to coordinate execution of a single instance (‘a .lock file inside the operating system’s temporary directory and attempts to lock it using the Java FileLock functionality’).
Indicators of Compromise
- [File names] Embedded/configuration artifacts and execution control – config.dat, .lock
- [Archive/file types] Java payload and packaged sample – JAR archive, pom.xml
- [Libraries/frameworks] Cross-platform native integration used by the sample – Java Native Access (JNA), Apache Maven
- [Platform targets] Affected operating systems – Windows, Linux, macOS