Home Malware Programs Remote Administration Tools Sisfader RAT

Sisfader RAT

Posted: March 24, 2020

Sisfader RAT is a Remote Access Trojan (RAT), which was first seen online in April 2018. The threat was propagated with the help of maliciously crafted RTF documents that exploited the CVE-2017-8570 vulnerability to deploy the payload and set off the attack. The payload was identified to be a previously unknown Remote Access Trojan that has been given the name Sisfader. It is important to note that this RAT's features are not that typical – while it possesses the abilities of regular RATs, it also has some extra features that are rather unconventional.

The attack method that the operators of the Sisfader RAT used in their 2018 campaign is not a surprising one – their targets received an email message that claimed to contain an important RTF document attachment. The authors had crafted a decoy document written in Russian whose purpose was to keep the recipient occupied while the Sisfader RAT was fulfilling its purpose in the background.

The Sisfader RAT uses the Microsoft Word to Load Its Modules

The first interesting trick that the Sisfader RAT had up its sleeve is the ability to evade sandbox environments by delaying its start. When the payload is deployed, it will drop a file to the Microsoft Word 'STARTUP' directory and cease its activity. By doing this, the Sisfader RAT ensures that it will not run until Microsoft Word is opened. This sort of delayed start is not a complicated feature to implement, but it shows that the authors of the Sisfader RAT are familiar with some of the basic concepts of sandbox evasion.

Once the Sisfader RAT is started, it will make sure to gain persistence by applying changes to the Windows Registry. The operators of the Sisfader RAT can make use of the following functionality:

  • Start processes on the remote host.
  • Receive software and hardware information.
  • Check for the presence of specific files or directories.
  • Copy files from the control server to the remote host.
  • Collect files from the infected computer.
  • Delete files.
  • Update the Sisfader RAT payload.

The Sisfader RAT is not a public hacking tool, and this is one of the main reasons why this threat has not shown remarkable activity ever since its first appearance in 2018. Computers that have a reputable anti-malware protection in place are likely to be safe from attacks like the one that the Sisfader RAT carries out.