New GodRAT Malware Makes use of Screensaver and Program Recordsdata to Goal Organizations

Menace actors have been deploying a novel Distant Entry Trojan (RAT) dubbed GodRAT, derived from the venerable Gh0st RAT codebase, to infiltrate monetary establishments, notably buying and selling and brokerage companies.

The malware is distributed by way of Skype as malicious .scr (screensaver) and .pif (Program Data File) executables masquerading as official monetary paperwork, akin to shopper lists or transaction knowledge.

This tactic exploits consumer belief in seemingly innocuous file varieties, enabling preliminary entry.

Evolution of Gh0st RAT

GodRAT represents an evolution of the AwesomePuppet backdoor reported in 2023, sharing code similarities and distribution strategies, and is probably going linked to the Winnti APT group.

Attackers make use of steganography to hide shellcode inside picture information, which then downloads the RAT from a Command-and-Management (C2) server.

As soon as deployed, GodRAT facilitates plugin-based extensions, with the FileManager plugin used to reconnaissance sufferer techniques and deploy secondary payloads like browser password stealers and AsyncRAT for persistent entry.

The marketing campaign stays energetic as of August 12, 2025, with detections spanning Hong Kong, the United Arab Emirates, Lebanon, Malaysia, and Jordan, highlighting a focused concentrate on Center Jap and Asian monetary entities.

The technical implementation of GodRAT is intricate, starting with shellcode loaders that inject malicious code into official processes.

One loader variant XOR-decodes embedded shellcode utilizing a hardcoded key like “OSEDBIU#IUSBDGKJS@SIHUDVNSO*SKJBKSDS#SFDBNXFCB” and executes it in a brand new reminiscence part.

Targets Monetary Sector

One other self-extracting executable embeds information, together with a signed SDL2.dll loader (MD5: 512778f0de31fcce281d87f00affa4a8) that extracts shellcode from JPG pictures depicting monetary particulars, injecting it by way of Valve.exe, a official binary signed with an expired DigiCert certificates.

In line with Kaspersky report, the shellcode searches for “godinfo” strings, decodes C2 configurations with XOR key 0x63, and fetches a second-stage payload containing a UPX-packed GodRAT DLL (inside identify: ONLINE.dll).

This DLL exports a “run” operate that checks command-line arguments, usually injecting into processes like curl.exe or cmd.exe utilizing the “-Puppet” parameter a nod to its AwesomePuppet heritage.

GodRAT collects system intel, together with OS particulars, hostname, PID, consumer accounts, and AV presence, compressing knowledge with zlib and triple XOR-encoding earlier than C2 transmission.

Supported instructions embrace plugin injection (e.g., FileManager for drive enumeration, file operations, and 7-Zip execution), course of creation on default desktops, and URL openings by way of Web Explorer.

Secondary implants amplify the risk: Chrome and MS Edge password stealers (MD5s: 31385291c01bb25d635d098f91708905 and cdd5c08b43238c47087a5d914d61c943) extract credentials from SQLite databases and Native State information, saving them as plain textual content.

AsyncRAT injectors (e.g., MD5: 605f25606bb925d61ccc47f0150db674) decode and inject C# binaries after patching AMSI and ETW features for evasion.

Supply code evaluation reveals GodRAT’s direct descent from Gh0st RAT, with builders permitting customization into executables like svchost.exe or file varieties akin to .scr/.pif.

Variations from AwesomePuppet embrace enhanced C2 packet dealing with with a “route” discipline, underscoring iterative enhancements in legacy malware.

This persistence of Gh0st-derived instruments, practically 20 years outdated, underscores the enduring attraction of customizable implants for APT operations, urging organizations to observe anomalous Skype deliveries, uncommon course of injections, and C2 communications.

Indicators of Compromise

Discover this Information Fascinating! Observe us on Google Information, LinkedIn, and X to Get Instantaneous Updates!