This RAT Doesnt Squeak Much

Saefko does stuff. Lots of stuff.

The Zscaler ThreatLabZ team
came across
a new remote-access trojan (RAT) for sale on the dark web. The RAT, called Saefko, is written in .NET and has multiple functionalities.
A RAT is a type of malware that includes a backdoor for remote administrative control of the target, and this one is no exception. The RAT can monitor target behavior through the logging of user keystrokes, accessing confidential information, activating the systems webcam, taking screenshots, formatting drives and the like.
The Saefko RAT will stay in the background and executes every time the user logs in. It does this by creating a startup key to execute the malware at login. Other observed behavior includes fetching the chrome browser history looking for specific types of activities like credit cards, business, social media, gaming, cryptocurrency and shopping.
It phones home to a command-and-control (C&C) server, and sends it what it has found. The C&C can tell the malware to download an additional payload as well.
It will check to see whether the Internet connection is active. It will then use the Chrome browser history to search for particular websites that have been visited by the user and makes a count of those that have been visited. This gives the attacker information to decide which systems it should target first from all systems it has infected.
Zscalers blog contains a list of the exact websites that it will be searching for, but is too lengthy for this article.
After that, Saefko begins the StartServices function, which has four different infection modules to it. They are HTTPClinet (thats how it spells Client), IRCHelper, KEYLogger, and StartLocalServices (USB spreading).
Dont forget those video sources. Saefko will search for AForge.dll, AForge.Video.DirectShow.dll, AForge.Video.dll and Sqlite3.dll in the system. it searches for a list of video input devices on the targeted system and sends all the related information to the C&C. Oh yes, it will send a snapshot from the device it has determined is present on the system. The video frame is encodes with Base64 and sent to the C&C for any further nefarious utilization.
Boy howdy, this one does stuff.
Zscaler does have some advice, though. At the administrative level, they post in the blog, its always a good idea to block unused ports, turn off unused services, and monitor outgoing traffic. Attackers are often careful to prevent the malware from doing too much activity at once, which would slow down the system and possibly attract the attention of the user and IT.
That happens to be a very good point. You cant fix RAT unless you know you have it.
— Larry Loeb has written for many of the last centurys major dead tree computer magazines, having been, among other things, a consulting editor for BYTE magazine and senior editor for the launch of WebWeek.

Last News
▸ Enhancing Security of Web Apps ◂ Discovered: 26/12/2024 Category: security	▸ DDoS data reveals subtle threats beneath large attacks. ◂ Discovered: 26/12/2024 Category: security	▸ India launched a targeted attack on Pakistan. ◂ Discovered: 26/12/2024 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
This RAT Doesnt Squeak Much