MalwareHunterTeam found new SectopRAT trojan horse

Recently, the security research team MalwareHunterTeam said it discovered a new Trojan horse program SectopRAT. This Trojan can be used to control browser sessions on infected computers, change browser configuration, and disable security measures.

A signed (Sectigo) C# malware, got told possible called "1xxbot" sample: b1e3b5de12f785c45d5ea3fc64412ce640a42652b4749cf73911029041468e3a
Used to create hidden desktop and run selected browser there with full control.
Related to AsataFar…
cc @James_inthe_box @VK_Intel @Antelox pic.twitter.com/bFPqTmrSp6

— MalwareHunterTeam (@malwrhunterteam) November 15, 2019

It is understood that the malicious program is mainly compiled by C#, including a RemoteClient.Config class, which has four values ​​that can be configured: IP, retip, filename, and mutexName. The researchers on these four variables found that: 1. The IP variable is related to the Trojan horse’s command and control server; Second, the retip variable is designed to set up a new C2 intrusion prevention system; 3. The server can be overwritten with the “set IP” command. These defense systems; Fourth, Filename, and mutexName are set but are not in active use.

In addition, the researchers also found that the software seems to have some shortcomings: First, the use of hard-coded paths without environment variables to access the system files; Second, a command to obtain compiled decoder information has not been completed. ​

The researchers said that despite some obvious flaws in the program, the techniques involved in the program indicate that the attacker has a level of expertise, so experts suspect that the Trojan may be just a test product.