Threat Research

VagusRAT: A New Entrant in the External Threat Landscape – CYFIRMA

Securonix

VagusRAT is a new remote access tool delivered through Google Ads campaigns that abuse typosquatting and SEO poisoning to lure users into downloading malicious apps. CYFIRMA attributes VagusRAT to Iranian actors, notes its Malware-as-a-Service model, and highlights extensive capabilities such as HVNC and HDRP that can be customized via a builder. #VagusRAT #IranianThreatActors #CypherRAT

Keypoints

  • Campaigns abuse Google Ads and typosquatting to distribute VagusRAT via cloned apps and fake download pages.
  • VagusRAT is offered as Malware as a Service with a builder, enabling customization and multiple variations.
  • Attribution points toward Iranian threat actors, supported by IP evidence and language clues observed in tutorials.
  • Threat actors use Gmail aliases and public video tutorials; a Telegram channel linked to VagusRAT started in Feb 2022.
  • Sample analysis shows persistence mechanisms, obfuscation, and packing (Confuser), plus the ability to modify registry for persistence.
  • Delivery chain involves a Google Ad redirecting to a fake Adobe Reader page, leading to a download of a Windows PE payload (setup_4.21.exe).

MITRE Techniques

  • [T1608.006] SEO Poisoning – Used Google Ads to drive victims to malicious clones; ‘campaigns abusing Google Ads platform to deliver malware to novice users searching for popular applications and cracked versions of legitimate software.’
  • [T1106] Native API – Execution via a downloaded payload after Google Ad redirect to setup_4.21.exe; ‘to download malware with name “setup_4.21.exe” on the machine.’
  • [T1027] Obfuscated Files or Information (and sub-techniques) – The sample is .NET based and is packed with Confuser packer; ‘The class names, entry point and code are obfuscated to evade analysis.’
  • [T1547.001] Modify Registry – Persistence by modifying registry entries; ‘modifies various registry entries including “HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun” for persistence.’
  • [T1082] System Information Discovery – Discovery by enumerating processes and related activity; ‘It enumerates the processes and also creating new directories/folder on the system.’
  • [T1071] Application Layer Protocol – Command and Control over URLs; ‘Binary on execution, communicates to URLs with VagusRAT references.’

Indicators of Compromise

  • [File Hash] MD5 – a8754096cc985cad9eb65e303a07a348, 7ce22135f9a3eeaf1653101bbfe68272
  • [IP] – 198.54.114.160, 5.117.104.181, 193.176.87.152
  • [Domain] – vagusrat.com
  • [File Name] – setup_4.21.exe

Read more: https://www.cyfirma.com/outofband/vagusrat-a-new-entrant-in-the-external-threat-landscape/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint