SectopRAT is a type of remote access malware that operates within the .NET environment, giving attackers the ability to remotely control infected systems. This trojan is primarily designed to harvest sensitive data, such as browsing history and cryptocurrency wallet information. It is commonly spread through malicious advertisements and compromised websites. After installation, SectopRAT establishes a secure, encrypted connection with its command servers, making its activity harder to detect by security tools. Since its discovery in 2019, SectopRAT has continuously adapted, affecting organizations with weak security measures.
Description
SectopRAT is a remote access trojan (RAT) built on the .NET framework, specifically targeting Windows operating systems, and designed to give attackers unauthorized control over infected systems. Its primary function is to steal sensitive data, such as browser history and cryptocurrency wallet credentials. Upon installation, it can create a concealed secondary desktop, enabling attackers to monitor and manipulate browser activities without detection.
The trojan is commonly distributed through malvertising, where deceptive ads direct users to harmful sites, and drive-by download attacks, which occur when users unknowingly download the malware while browsing compromised websites. These malicious ads can appear alongside trusted brands, such as Slack or NordVPN, or even on adult sites. In some cases, users are initially shown legitimate product pages that eventually redirect to fraudulent ones mimicking authentic products. SectopRAT is often delivered by malware loaders, such as EugenLoader.
Microsoft has also reported that SectopRAT is distributed through phishing campaigns targeting Microsoft Teams. Attackers use Teams calls and phishing messages containing malicious attachments to deliver SectopRAT and other malicious payloads to victims.
Once installed, SectopRAT establishes encrypted communication with command-and-control (C2) servers, making its activities difficult for security solutions to detect or analyze. The malware uses specific IP addresses and ports to create these connections, further complicating detection.
After gaining access to the compromised system, SectopRAT scans for valuable data, focusing on web browsers and cryptocurrency wallets. By extracting sensitive information such as login credentials, passwords, and cookies, attackers can engage in a variety of malicious activities, including stealing funds or launching additional attacks.
To avoid detection, SectopRAT uses multiple layers of packing and employs techniques to detect and evade virtual machines (VMs) and emulators, hindering analysis in controlled security environments. Its encrypted C2 communications further obscure the nature of the stolen data, complicating incident response efforts.
Active since 2019, SectopRAT has evolved over time, allowing it to remain a persistent threat. It primarily targets organizations with weak cybersecurity defenses, impacting a wide range of sectors. It is also known by other names, including Asatafar, ArechClient, and 1xxbot.
SectopRAT has been observed as part of complex attack chains involving additional malware and ransomware. Microsoft Threat Intelligence has linked SectopRAT to attacks that deploy BlackSuit ransomware. In 2023, Cyble Research and Intelligence Labs (CRIL) discovered a sophisticated attack chain in which the LummaC information stealer loaded an Amadey bot, which then deployed SectopRAT as the final payload. This multi-stage attack enabled remote access, data theft, and covert manipulation of browser sessions on compromised systems.
Indicators of Compromise
IPs:
- 45.141.86[.]82
- 193.233.112[.]219
- 45.141.86[.]60
- 213.109.202[.]96
- 45.141.87[.]50
- 167.235.102[.]163
- 91.215.85[.]23
- 213.109.202[.]15
- 45.92.179[.]249
- 185.234.216[.]147
- 185.161.248[.]159
- 176.111.174[.]142
- 152.89.198[.]51
- 2.57.149[.]77
- 213.109.202[.]98
- 45.141.87[.]16
- 152.89.217[.]229
- 213.109.202[.]97
- 45.141.87[.]218
- 2.57.149[.]235
- 213.109.202[.]229
- 91.215.85[.]26
- 45.141.87[.]215
- 45.92.179[.]244
- 2.57.149[.]31
- 45.141.87[.]55
- 194.26.135[.]180
- 91.215.85[.]66
- 85.209.11[.]243
- 185.73.125[.]96
- 45.141.87[.]124
References
Fraudulent Slack ad shows malvertiser’s patience and skills
Bing ad for NordVPN leads to SecTopRAThttps://security.microsoft.com/intel-explorer/articles/93db57cc