Threat Research

Unveiling a New Threat The Millenium RAT – CYFIRMA

Securonix

CYFIRMA analyzes Millenium RAT, a .NET Win32 RAT that has evolved from version 2.4 to 2.5 and is actively developed, with access sold on GitHub and details shared via Telegram. The report highlights the tool’s extensive data theft, anti-analysis, persistence, and Telegram-based C2 capabilities, underscoring the ease of acquiring and repurposing open-source malware on popular platforms. Hashtags: #MilleniumRAT #GitHub

Keypoints

  • Millenium RAT has evolved from version 2.4 to 2.5, indicating ongoing active development.
  • The 2.4 version is offered for lifetime access at $30, while 2.5 requests contact via Telegram for details, signaling a shift in access model.
  • Capabilities span data theft, anti-analysis, persistence, remote command execution, and Telegram-based communication for exfiltration.
  • The tool targets browser data, Discord tokens, keystrokes, and system information for leakage and abuse.
  • The malware is promoted on GitHub as an educational resource, leveraging openness to facilitate misuse.
  • Millenium RAT appears derived from ToxicEye RAT, with similarities in code structure and modules, suggesting repurposing of open-source malware.

MITRE Techniques

  • [T1071.001] Web Protocols – Telegram-based C2 and data transmission – Leveraging the Telegram API for communication and file transmission, it poses substantial risks to both user privacy and system security. “Leveraging the Telegram API for communication and file transmission, it poses substantial risks to both user privacy and system security.”
  • [T1547.001] Registry Run Keys/Startup Folder – Auto-start persistence – The RAT ensures that it runs automatically upon system startup. “writes a new registry entry to the ‘HKCUSoftwareMicrosoftWindowsCurrentVersionRun’ path. The entry created is named with the name ‘ChromeUpdate’…”
  • [T1497] Virtualization/Sandbox Evasion – Anti-VM/sandbox checks – The RAT checks for signs of VirtualBox or other virtual machine software by gathering system information. “…to identify virtual environments and searches for keywords like ‘VIRTUAL,’ ‘vmware,’ or ‘VirtualBox’ within system details.”
  • [T1498] Execution Guardrails – Anti-debugging measures – It attempts to detect if the application is running within a debugger. “It attempts to detect if the application is running within a debugger.”
  • [T1056] Input Capture – Keylogging – The malware logs keystrokes by intercepting low-level keyboard input events. “logs keystrokes by intercepting low-level keyboard input events.”
  • [T1555.003] Credentials from Web Browsers – Browser-stored credentials – It gathers data from several browsers (Chrome, Edge, Opera, Brave) and can access passwords, downloads, and more. “terminating any running instances of these browsers… collect passwords, downloads, credit card details, cookies, and browsing history.”
  • [T1081] Credentials in Files – Local credential storage – It reads browser data files and other credential stores. “the data is organized, compressed, and sent… using the Telegram API.”
  • [T1113] Screen Capture – Desktop screenshot – The malware captures the desktop, saves as JPEG, and sends via Telegram. “The desktop’s content, converts it into a JPEG image, and transmits it to a designated Telegram chat.”
  • [T1002] Data Compressed – Data preparation for exfiltration – Data is compressed (ZIP) before exfiltration. “data is organized, compressed, and sent… via Telegram API.”
  • [T1041] Exfiltration Over C2 Channel – Exfiltration to Telegram – Data and files are transmitted to the Telegram-based channel for exfiltration. “sent to an external server… Telegram API.”
  • [T1485] Data Destruction – Self-deletion/destruction – Self-installation/self-destruction and cleanup actions are described. “self-destruction features… deletes artifacts.”
  • [T1021] Remote Services – Remote control – The RAT enables remote control over the infected system. “enable remote control over the compromised system.”

Indicators of Compromise

  • [MD5] Millenium RAT binary – eba4be8ed0e9282976f8ee0b04fb2474
  • [SHA1] Millenium RAT binary – f4d698ece0ff6af36c1a2e9108ea475518df0aa7
  • [SHA256] Millenium RAT binary – 6d207c1e954f9d60f693e17e63df73fb8e954d02544b5d52b8b18c4ab86a267e
  • [URL] Geolocation service – http://ip-api.com/json/

Read more: https://www.cyfirma.com/outofband/unveiling-a-new-threat-the-millenium-rat/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint