The ComRAT v4 file contains a Virtual File System (VFS) in File Allocation Table 16 (FAT16) format, which includes the configuration and logs files. It is designed to use a Gmail web interface to receive commands and exfiltrate data. The named pipe is used to send Hypertext Transfer Protocol (HTTP) requests and receive HTTP responses to and from the communication module for backdoorcommands. The ComRATv4 file and the communication module communicate with each other using a named pipe. The communication module (32-bit or 64-bit DLL) is i njected into the victim system ís default browser. This new variant of ComRAT contains embedded 32-bit and 64-bit DLLs used as communication modules. This report analyzes a PowerShell script that installs a PowerShell script, which will decode and load a 64-bit dynamic-link library (DLL) identified as ComRAT version 4. Cyber Command’s VirusTotal page for more information. CISA encourages users and administrators to review Malware Analysis Report MAR-10310246-2.v1 and U.S. You can view currently active Named Pipes using Sysinternals Pipelist. A Named Pipe is a mechanism for inter-process communication. Cyber Command has released the malware sample to the malware aggregation tool and repository, VirusTotal. Once an initial foothold has been gained in a network, named pipes offer a stealthy method of moving laterally. The FBI & CISA have identified a malware variant-referred to as ComRAT-used by the Russian-sponsored advanced persistent threat (APT) actor Turla. A major new Remote Access Trojan (RAT) malware attack was highlighted yesterday by CISA & FBI
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |