Gmail’s web interface is being used by ComRAT to steal and access data from targeted systems.
The malware is upgraded to its latest version which uses an entirely new code base and is far more complex than its earlier variants.ComRAT is typically installed via PowerStall, a lightweight PowerShell backdoor used by Turla to install other backdoors.
The PowerShell loader injects a module called ComRAT orchestrator into the web browser, which employs two different channels — a legacy and an email mode — to receive commands from a C2 server and exfiltrate information to the operators.
The main feature of ComRAT is discovering, stealing, and exfiltrating confidential documents. In some cases ComRAT was found to interact with central MS SQL Server database of the victim’s system containing the organization’s documents.
ComRAT uses mails to download various attachments into the targeted system. The attachments are not documents but they are various commands which are executed by ComRAT at various instances to perform separate designated malicious tasks.
The exfiltrated data comprises user details and security-related log files to check if their malware samples were detected during a scan of the infected systems. ComRAT doesn’t rely on any malicious domain which allows it to bypass various security checks used by the target to remain secure.
Use NPAV and join us on a mission to secure the cyber world.