ExileRAT

ExileRAT is a Remote Access Trojan that can give threat actors control over your computer by issuing commands to the program over a network. The ExileRAT's design implies stealth-based installation and maintenance, meaning that the users may not see symptoms of the criminals having complete control over the system effectively. Victims should have dedicated anti-malware solutions for protecting their PCs and removing ExileRAT, and avoid contact with its infection vector: Tibet-themed e-mail attachments.

A Trojan Seeking those in Exile

With the campaigns of threats like the Gresim backdoor Trojan and the kit-based Gh0st, supporters of an independent Tibet show a pattern of being targets for espionage. Unsurprisingly, 2019 is displaying another entry into this pile of threatening software that's infiltrating the PCs of the users matching this profile. However, ExileRAT does so particularly efficiently, by attacking e-mail addresses that are signed up to the CTA (or Central Tibetan Administration) mailing list.

How criminals harvested these addresses is not yet knowable, but the ExileRAT's attacks show that its actors are paying attention to the CTA's Web presence. The e-mail messages carry slideshow conversions of an authentic CTA document that disputes Tibet's ever having been a part of China. While the slideshow is real, it also hosts an embedded vulnerability that leverages corrupted JavaScript attacks for dropping ExileRAT onto the recipient's PC.

Malware researchers can verify some of the most common RAT-based features in ExileRAT, such as:

• ExileRAT collects and transfers system information that could help the attacker, such as network adapter type and all available drives and running processes.
• ExileRAT can launch files at will and, also, terminate unwanted ones, presumably, including security-related processes.
• ExileRAT can download other files onto the PC for executing, which grants access of the PC to other threats with more specific payloads than the RAT.

This set of features lets criminals operate for harvesting information from the computer unobtrusively and maintaining long-term control over it.

Exiling Backdoor Problems Out of Your Computer

As was brought up previously, ExileRAT is far from a statistical anomaly; independent Tibet supporters are periodic targets for various attacks that, invariably, specialize in collecting information and monitoring the PC's long-term usage. ExileRAT even recycles a portion of the infrastructure of the LuckyCat RAT, which is a separate threat, albeit one with very similar attacks.

A Microsoft-issued security update will block the vulnerability that ExileRAT's installation attack utilizes in its slideshow file. The users can further protect their PCs by scanning e-mail attachments with appropriate security tools before opening, which is valuable as a means of blocking other threats, like file-locking Trojans similarly. Since this high-level threat includes a noteworthy stealth implementation, the users should respond to infections by disabling network connectivity, removing the ExileRAT with an anti-malware product, and changing their security information (logins, passwords, etc.).

Tibet's reputation as a hotspot for contentious politics isn't an unearned one. Anyone with a vested interest in the region should keep in mind that propaganda, espionage, and even warfare extend to the cyber-security landscape just as much as they take place in the 'real' world.