New mystery Windows-smashing RAT found in corporate network

Malware man Yotam Gottesman has found a somewhat mysterious remote access Trojan on a corporate network that sports highly capable evasion techniques.

The Ensilo researcher says the Trojan, dubbed Moker, is not known to antivirus databases and can bypass and disable Windows security measures.

Bypassed security systems includes antivirus, user access control, and virtual machines.

"As opposed to more common malware such as bank Trojans, ransomware, and PoS scrapers, this advanced persistent threat hooked into the operating system in order to appear as a legitimate OS process and to access system-wide settings," Gottesman says.

"Moker targets Windows machines and takes complete control of the victim’s machine by creating a new user account and opening a RDP channel to gain remote control of the victim’s device.

"[It] tampers with sensitive system files and modify system-security settings, takes screenshots, records web traffic, monitors keystrokes and exfiltrates files."

The malware also stuffs itself into system processes, replacing legitimate code with malicious scripts during run-time, according to the researcher.

Moker sports anti-analysis techniques including the ability to encrypt itself and evasion of popular debugging tools, says the researcher. The author also threw in instructions that serve only to lead researchers astray in their analysis, he adds.

"Obviously, this is a threat actor that invested a lot of resources in order to keep this malware stealthy," Gottesman says.

The installation is also protected, using a two stage process and code packing to avoid examination by packet inspection and antivirus. ®