VTA-004471 – New C#-Based “Silver RAT” Malware Distributed by Syrian Hackers

Security experts are warning about Silver RAT, a new weapon in the malicious actor’s toolbox. This remote access trojan (RAT), created by a group known as Anonymous Arabic, is intended to sneak into computer systems and provide backdoor access for attackers to steal information, run secret programmes, and cause chaos. The developers have a sophisticated and active presence across several social media platforms and hacking forums. The actors, who are believed to be of Syrian descent and connected to the creation of the S500 RAT, also manage a Telegram channel where they provide a range of services including sales of social media bots, distribution of cracked RATs, and access to leaked information. Afterwards, other online criminals use the social media bots to automatically interact with and comment on user material in order to promote different illegal services. The malware written in C# claims to have numerous capabilities, including the ability to log keystrokes, remove system restore points, connect to a command-and-control (C2) server, and even encrypt data with ransomware. There are also hints that an Android version is being developed. Threat actors can choose from a number of options when creating a payload with the Silver RAT builder, with a payload size limit of 50kb. After the victim is connected, they show up on the attacker-controlled Silver RAT panel, where the logs from the victim are shown according to the selected functionalities.

Severity:
Medium

Attack Surfaces:
Endpoint, Mobile Application, Remote Access Service, Web Application

Technique:
T1027 – Obfuscated Files or Information
T1041 – Exfiltration Over C2 Channel
T1053 – Scheduled Task/Job
T1055 – Process Injection
T1056 – Input Capture
T1057 – Process Discovery
T1059 – Command and Scripting Interpreter
T1082 – System Information Discovery
T1083 – File and Directory Discovery
T1112 – Modify Registry
T1497 – Virtualization/Sandbox Evasion
T1528 – Steal Application Access Token
T1539 – Steal Web Session Cookie
T1552 – Unsecured Credentials
T1567 – Exfiltration Over Web Service

Indicator of Compromise:
https://otx.alienvault.com/pulse/659cc9c0425117bb287be91e

References:
https://www.cyfirma.com/outofband/a-gamer-turned-malware-developer-diving-into-silverrat-and-its-syrian-roots/

SuperPRO’s Threat Countermeasures Procedures: 
1. Avoid clicking on suspicious links or attachments without verifying the source.
2. Use strong passwords and multifactor authentication for online accounts
3. Use reputable security software if any suspicious activity happens
4. Keep all software updated with the latest security patches.
5. If there is a suspected RAT, disconnect the devices from the internet to prevent further attack.

Contributed by: Varrumen