Saefko

Saefko is a Remote Access Trojan that provides modular support for attacks within the threat actor's specifications. These capabilities include notable data exfiltration and monitoring the user's Web-browsing activities. Safe response to an attack includes disabling Internet connectivity and removing Saefko with a suitable anti-malware tool, before changing any collected credentials.

Crime for Hire, Module by Module

'Rental' Trojans are a large part of the underground marketplace for Black Hat software. This business model is the foundation of Ransomware-as-a-Service families like the Scarab Ransomware and the Djvu Ransomware, along with spyware and RAT equivalents. Saefko is a much less-specialized example of a Remote Access Trojan that gives its renting criminals everything that they want, one deployable module at a time.

One of the first features malware analysts are emphasizing about Saefko is its cross-compatibility, which is a significant advantage in the RAT market. It can install itself and maintain Registry persistence in both Windows and Android devices. Initially, it monitors the user's Chrome history for activity related to many websites and transfers the statistics to its C&C. Sites under its umbrella for spying include retailers like Amazon and Macy's, financial domains like Paypal or Investing.com, social media services, popular online games, and cryptocurrency (Bitcoin, Monero, etc.).

However, this function is part of the opening 'setup' of Saefko. The threat actor must, then, decide on deploying Saefko's various modules, based on the victim's history. Each module contains compartmentalized attacks, including:

• One of them turns Saefko into a worm: it copies the Trojan to vulnerable, removable or network-shared devices, letting it infect other systems.
• Another component performs one of the most common behaviors for RATs: collecting statistics about the system environment (such as the OS version) and sending it to the C&C for facilitating other attacks.
• A third one provides the data-collecting feature of keylogging, or records typed keystrokes into a text file for theft.
• The majority of Saefko's flexibility lies in its last module, an IRC-based C&C tool. It lets the Trojan download or upload files and facilitates additional attacks, including enabling the proper transfer of collected data (such as the keylogger's information).

Staying Safe from a Saefko Agent

Since the Trojan tries to avoid letting victims know that it's scrapping information, traces of Saefko's ongoing attacks are minimal for any infected PC (or smartphone) users. Besides the usual network activity, users can search for the initial 'saefkoagent.exe' file or the Trojan's associated Registry entries. Note that Saefko does include a disguise that makes it resemble a part of Windows, such as Explorer, according to the filename.

Because it's a for-hire threat, any infection exploits that relate to Saefko attacks are unpredictable. Threat actors may use psychological leverage, such as fake invoices or downloads for movies and game cracks, as ways of installing the Remote Access Trojan to targeted or random victims. Its list of website visitors for targeting is equally applicable to both high-value, corporate employees, and casual PC users.

Users should disable Internet connections as soon as possible since doing so stops Saefko from exfiltrating any intelligence, as well as cutting off the orders from its Command & Control server. Anti-malware programs should remain effective at deleting Saefko on sight, similarly to other RATs.

Phones and desktops are both at risk from Saefko, which is a flexible tool for illegality, up to its admin's preferences. Whether one's device becomes the screw that Saefko manipulates in its profiteering is entirely up to the owner.