Home Malware Programs Remote Administration Tools BlackNET RAT

BlackNET RAT

Posted: March 25, 2020

The BlackNET RAT is a Remote Access Trojan that lets attackers exercise invasive control over the infected computer, with an emphasis on data collection. Campaigns are exploiting the Coronavirus epidemic with fake 'anti-virus' software for propagating this Trojan. Users should let their anti-malware products delete the BlackNET RAT on sight and change their passwords after disinfection.

Hackers Playing with Virus Linguistics

The terminology of the cyber-security industry is concretely-defined fairly, in most cases, but threat actors can take advantage of casual misunderstandings by the public. In the case of a recently-caught Black Hat website, the con utilizes a payload with the BlackNET RAT and some unusual wordplay for installing it. This Remote Access Trojan is joining numerous other threats with a Coronavirus theme – and muddying the waters about what a virus is, to boot.

The BlackNET RAT's new campaign isn't too different from the COVID-19 schemes of threats like the CoronaVirus Ransomware, NanoBot, or the CovidLock Ransomware. The threat actor uses a fraudulent domain promoting an anti-virus program specific for the Coronavirus – while implying that the disease is a digital one that your PC requires protection from, along with a biology-based health risk. Readers familiar with the history of the malware industry already should know that a software virus is a self-reproducing program that injects its code into other files. It has nothing to do with bodily diseases and that there's no functional overlap between anti-virus applications and disease-tracking ones.

Besides the unusual website that's installing the CoronaVirus Ransomware in the disguise of an AV scanner, the RAT has little to differentiate it from other RATs. However, its payload shows what malware experts deem an exceptional focus on spyware-like functions, such as keylogging, screen-grabbing, compromising Bitcoin wallets, and collecting cookies. It also includes some features without information-collecting in mind, such as Distributed-Denial-of-Service attacks that it coordinates through an en masse botnet of infected systems.

The PC Disease Prevention that's Always Relevant

The use of national emergencies and important news topics for circulating file-locking Trojans, RATs, and spyware is far from unusual, even though the BlackNET RAT is more careless than most with its phishing lure. The domain is being flagged as a corrupted phishing site by most vendors, in addition to any heuristic flags that the fake anti-virus executable may trip. Meanwhile, malware researchers also suggest checking Web addresses for safety before downloading new software related to the Coronavirus, which is becoming a hot topic among Trojan campaigns.

The BlackNET RAT represents the usual risk towards the user's privacy and control over their Windows PC. Always disable Internet connections after identifying possible infections, and change passwords for eliminating the chance of an attacker hijacking an account, transferring Bitcoins or conducting other attacks. Any typed or cookie-stored data, or saved passwords are at risk of being collected by threat actors using the BlackNET RAT, along with the possibility of performance problems from its DDoSing activities.

Anti-malware products that are alert at the time of exposure to the 'antivirus-covid19[.]site' website should warn users before loading it. They also should experience issues with deleting the BlackNET RAT, although it does use some identify-concealing techniques, such as an HXXP exploit and Themida packing.

Even the most non-technically-savvy computer owner should know the difference between a biological virus and a software one. The BlackNET RAT hopes that it can use doublespeak for blurring the lines just long enough to get a download through, which is all that it needs to add a new PC to its decentralized network.

Loading...