CRAT
CRAT is the name of a threatening Remote Access Trojan (RAT) that is perfectly capable of causing mayhem on its own. However, recent updates to CRAT also have introduced a modular structure that allows its operators to extend its functionality by downloading and deploying plugins. In the past, the CRAT usage has been observed in the campaigns of the infamous Lazarus Advanced Persistent Threat (APT) actors, but it is likely that other cybercrime organizations also have access to the same tools. CRAT's recent update introduced a peculiar new module called 'Hansom' – it adds ransomware functionality to the payload and enables the attacker to encrypt data found on the compromised machine.
A Private CRAT Malware Packs a Ransomware Module
Private threats like CRAT tend to be much more advanced than their public counterparts, such as the Abaddon RAT. For example, CRAT features a wide range of features meant to help it evade sandbox environments, as well as automatic malware detection tools. Furthermore, the modular structure renders it more threatening than typical RATs since it enables the attacker to cause trouble. As mentioned earlier, the 'Hansom' ransomware module of CRAT may prove to be a huge problem because of its ability to render the victim's files inaccessible.
One of the latest campaigns to involve the CRAT malware was targeted at Korean-based companies, organizations, and individuals. The delivery was executed via spear-phishing emails containing corrupted HWP (Hangul Word Processor) files – a popular Word processing tool in the region. When launched, these files would execute a hidden piece of code trying to exploit vulnerabilities that would make it possible to deploy the CRAT malware.
CRAT can Detect Anti-Virus and Firewall Software
Once active, CRAT collects various information about the compromised system – hardware and software, anti-virus software, operating system version, firewall products and checks for administrator permissions. The RAT also lists all partitions, folders and files. The malware can collect and exfiltrate files, and it also has the ability to deploy and execute files on the compromised machine. The attackers also can execute arbitrary commands via a reverse shell. Recent updates to the CRAT payload also included a screenshot grabber and keylogging tools.
The Hansom Ransomware module is not decryptable, and it uses a peculiar mechanism to lock files. It puts them in a password-protected archive before encrypting the said archive via a public RSA key. The decryption tool is delivered alongside the payload, but it will only work if the correct key is supplied. The names of encrypted files remain unchanged, and the CRAT malware drops the 'HANSOM_READMME.txt' message. The attackers demand a ransom payment via Bitcoin, and they provide the emails keepcredit015@protonmail.com and honestman023@protonmail.com for contact.
It is becoming a common trend among high-profile malware developers to integrate additional features in projects like CRAT. Thankfully, this does not change anything when it comes to preventive measures. Keeping your network and computers protected by up-to-date anti-malware and firewall service should help prevent attacks from CRAT and similar threats.
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.