RotBot | |
Type of Malware | Remote Access Trojan |
Country of Origin | Vietnam |
Date of initial activity | 2024 |
Associated Groups | CoralRaider |
Targeted Countries | India, China, South Korea, Bangladesh, Pakistan, Indonesia, Vietnam |
Motivation | It performs reconnaissance of system data on the victim machine. Download other malwares. |
Attack vectors | It is downloaded and runs on the victim machine disguised as a Printer Subsystem application “spoolsv.exe.” |
Targeted systems | Windows |
Overview
RotBot is a variant of the QuasarRAT client that the CoralRaider threat actor has customized and compiled for the January 2024 campaign.
Targets
Windows devices in India, China, South Korea, Bangladesh, Pakistan, Indonesia, Vietnam.
How they operate
During its initial execution, RotBot performs several checks on the victim’s machine to evade detection, including IP address, ASN number, and running processes of the victim’s machine. It performs reconnaissance of system data on the victim machine. Talos that RotBot discovered in the January 2024 campaign creates mutex in the victim machine as the infection markers using the hardcoded strings in the binary
Significant Malware Campaigns
- The threat actor uses a Telegram bot, as a C2, to exfiltrate the victim’s data. (April 2024)
