BitRAT | |
Type of Malware | RAT |
Country of Origin | Unknown |
Date of initial activity | 2020 |
Associated Groups | Multiple threat actors as this malware it has bee widely sold on underground cybercriminal markets and forums (eg Kimsuky) |
Targeted Countries | Worldwide |
Motivation | BitRAT can be used for a variety of malicious purposes, including recording video and audio, data theft, DDoS attacks, cryptocurrency mining, and delivering additional payloads. When hackers gain users' data, they sell it on the dark web for any cybercriminals to use. |
Attack vectors | Weaponized Microsoft Excel spreadsheets, pirated Microsoft Windows licenses, via webhards. Fake Browser Updates |
Tools | TinyNuke |
Targeted systems | Windows |
Overview
According to Bitdefender, BitRAT is a well-known remote access trojan (RAT) extensively sold on underground cybercriminal markets and forums. Its $20 lifetime access cost makes it highly appealing to cybercriminals and aids in the dissemination of its malicious payload.
BitRAT is marketed as a powerful, affordable, and versatile malware capable of stealing a wide range of valuable information from the host, performing DDoS attacks, bypassing UAC, and more.
BitRAT features include generic keylogging, clipboard monitoring, webcam access, audio recording, credential theft from web browsers, and XMRig coin mining capabilities.
Additionally, it provides remote control for Windows systems, hidden virtual network computing (hVNC), and reverse proxy through SOCKS4 and SOCKS5 (UDP). The hidden desktop feature is so valuable that some hacking groups, like Kimsuky, have incorporated it into their arsenal specifically to use the hVNC tool.
The varied methods employed by each buyer make BitRAT even more difficult to combat, as it can be utilized in various operations such as trojanized software, phishing, and watering hole attacks.
In this regard, ASEC’s analysts have identified strong code similarities with TinyNuke and its derivative, AveMaria (Warzone).”
Targets
Users who download illegal crack tools from webhard and install it to verify Windows license are at risk of having BitRAT installed into their PC.
How they operate
BitRAT is a malware distribution campaign spread through pirated Microsoft Windows licenses. When users download these pirated versions of Microsoft products, they simultaneously install BitRAT on their devices.
As a remote access trojan (RAT) malware, BitRAT allows its attacker to gain control of the infected system. BitRAT not only offers basic control features such as running process tasks, service tasks, file tasks, and remote commands, but also provides additional options like various info-stealing features, HVNC, remote desktop, coin mining, and proxies.
Here is the list of features that BitRAT offers:
Network Communication Method
Encrypted communication using TLS 1.2
Communication using Tor
Basic Control
Process manager
Service manager
File manager
Windows manager
Software manager
Information Theft
Keylogging
Clipboard logging
Webcam logging
Audio logging
Application (e.g., web browsers) account credential theft
Remote Control
Remote desktop
hVNC (Hidden Desktop)
Proxy
SOCKS5 Proxy: port forwarding feature using UPnP
Reverse Proxy: SOCKS4 Proxy
Coin Mining
XMRig CoinMiner
Others
DDoS attack
UAC Bypass
Windows Defender deactivation
Significant Malware Campaigns
- BitRAT, first observed in late 2020, is a newcomer to the malware scene. Threat actors can purchase this malware on popular underground forums and have been observed distributing it via malicious XLS attachments in malspam. (May 2021)
- FortiGuard Labs recently came across a peculiar-looking Excel spreadsheet that seemingly included NFT-related information. But instead, it downloads and installs the BitRAT malware in the background. (February 2022)
- The ASEC analysis team has recently discovered BitRAT which is being distributed via webhards. (March 2022)
- The payloads were MaaS (Malware as a Service) info-stealers: AZORult, BitRAT and Raccoon. All are available for purchase in various markets and groups. (May 2022)
- Three fileless malware in a huge downloaded PowerShell file to bypass detection, and how these are later deployed and executed inside the target processes through Process Hollowing. These three fileless malware are AveMariaRAT / BitRAT / PandoraHVNC. (May 2022)
- BitRAT is a fairly recent, notorious remote access trojan (RAT) marketed on underground cybercriminal web markets and forums since Feb 2021. (January 2023)
- In May 2024, eSentire’s Threat Response Unit (TRU) detected an instance of fake updates delivering BitRAT and Lumma Stealer. (May 2024)
References:
- BIOTECH-THEMED MALSPAM DROPS BITRAT
- BitRAT Disguised as Windows Product Key Verification Tool Being Distributed
- NFT Lure Used to Distribute BitRAT
- Info-stealer Campaign targets German Car Dealerships and Manufacturers
- Phishing Campaign Delivering Three Fileless Malware: AveMariaRAT / BitRAT / PandoraHVNC
- BitRAT Now Sharing Sensitive Bank Data as a Lure
- Fake Browser Updates delivering BitRAT and Lumma Stealer
- BitRAT Malware Seen Spreading Through Unofficial Microsoft Windows Activators
