Webrat Malware Spread Via Fake Vulnerability Exploits On Github

The WebRAT malware is now being distributed through GitHub repositories that claim to host proof-of-concept exploits for recently disclosed vulnerabilities.

Previously spread through pirated software and cheats for games like Roblox, Counter Strike, and Rust, WebRAT is a backdoor with info-stealing capabilities that emerged at the beginning of the year.

According to a report from Solar 4RAYS in May, WebRAT can steal credentials for Steam, Discord, and Telegram accounts, as well as cryptocurrency wallet data. It can also spy on victims through webcams and capture screenshots.

Since at least September, the operators started to deliver the malware through carefully crafted repositories claiming to provide an exploit for several vulnerabilities that had been covered in media reports. Among them were:

Security researchers at Kaspersky discovered 15 repositories distributing WebRAT, all of them providing information about the issue, what the alleged exploit does, and the available mitigations.

Due to the way the information is structured, Kaspersky believes that the text was generated using an artificial intelligence model.

The malware has multiple methods to establish persistence, including Windows Registry modifications, the Task Scheduler, and injecting itself into random system directories.

Kaspersky researchers say that the fake exploits are delivered in the form of a password-protected ZIP file containing an empty file with the password as its name, a corrupted decoy DLL file acting as a decoy, a batch file used in the execution chain, and the main dropper named rasmanesc.exe.

According to the analysts, the dropper elevates privileges, disables Windows Defender, and then downloads and executes WebRAT from a hardcoded URL.

Kaspersky notes that the WebRAT variant used in this campaign is no different from previously documented samples and lists the same capabilities described in past reports.

Source: BleepingComputer