Cotx RAT
The Cotx RAT is a Remote Access Trojan that grants attackers control-oriented capabilities over your PC. Examples of its features include but aren't limited to performing data operations such as deleting or reading files, issuing CMD system commands, and passing exploitable environmental information back to the hacker. This threat targets the IT industry currently, and workers in that field should employ appropriate practices and anti-malware tools for removing a Cotx RAT as soon as possible.
Good Reasons for Modernizing Your Workplace Software
Hackers using all the telltale marks of China-based exploits are targeting entities in the IT industry, in a campaign that was dubbed Lagtime IT. Further analysis of the attacks and their components turned up evidence of a brand-new Trojan that's custom to the TA428 threat actor. While the Cotx RAT offers little that's new under the sun, it does show off many well-established, exploitative tactics for breaking past security and maintaining control in a state-sponsored (or well-funded equivalently) attack.
The infection vector for the Cotx RAT is one of the most suggestive signs of its possibly-Chinese origin, thanks to the abuse of an Equation Editor exploit, CVE-2018-0798. This remote code execution vulnerability affects Microsoft Office up to versions 2016, and 2019 users should be immune. The path of exposure, as usual, is customized e-mail spam that includes content specialized for the target employee's industry and company – a common theme that malware experts see in almost all phishing attacks that lead to RAT infections.
The Cotx RAT is a C++ Trojan that provides traditional remote access-related admin features to the hackers, such as:
- File operations (reading, writing, copying or deleting them).
- The Cotx RAT may transfer system details like the Windows version to the C&C server.
- The Cotx RAT may take screenshots.
- The Cotx RAT may execute commands through a shell.
- The Cotx RAT may control other programs by monitoring and closing memory processes.
None of the above is very original or unique to the Cotx RAT, although malware experts see no samples of the Trojan outside of this campaign. State-sponsored threat actors often prefer Trojans to which they possess sole ownership for heightening their evasion chances against the cyber-security sector.
When Trojans Need a Fallback Plan
Perhaps the most rarely-seen point of TA428's behavior regarding the Cotx RAT's deployment is that they don't consider it irreplaceable. Failed attempts at installing the Remote Access Trojan via e-mail provoked further phishing attacks from the same vector, one week later. However, the second attempts used the Poison Ivy backdoor, which is a well-known and non-exclusive Trojan. It provides similar backdoor features to the Cotx RAT, raising the point that the hackers are interested in gaining access to targets without, necessarily, caring overly much about the methodology.
The Cotx RAT's geolocation spread is focusing on East Asia and government IT organizations, but its payload is just as threatening to any Windows computer. Victims should disable their Internet connections, detach the PC from the rest of any local networks and change passwords after resolving infections.
Anti-malware products of most vendors should delete the Cotx RAT, and similar RATs, assuming that updated threat databases are in use.
'If, at first, you don't succeed, try, try, again' is the Cotx RAT campaign's motto, much to the detriment of those afflicted by its attacks. Workers clicking on e-mailed attachments too carelessly with outdated Office software will, soon, have a reason for regretting their haste.
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.