zgRAT | |
Type of Malware | Remote Access Trojan, Infostealer, |
Date of initial activity | It is not documented in public sources |
Country of Origin | Unknown |
Motivation | To enable remote access and control over infected machines. Data theft. |
Type of information Stolen | Login credentials, Personal Identifiable Information (PII), Financial Information, Medical Records, Biometric Data, Corporate Data |
Attack Vectors | Usually spreads by USB or phishing emails with -zip/-lnk/.bat/.xlsx attachments, either directly or by way of other threats such as loaders and stealers |
Targeted System | Windows |
Overview
zgRAT is a classic remote access trojan that allows its operator to gain remote control of a compromised machine, perform keylogging, steal sensitive data, and also upload/execute other threats. zgRAT has an infostealer use which targets browser information and crypto wallets.
The exact date of the initial detection of zgRAT is not widely documented in public sources. However, zgRAT has been observed in various cybercriminal campaigns over the past several years.
zgRAT has been observed being distributed through spam campaigns that promote the Agent Tesla malware, which installs this RAT.
Targets
zgRAT primarily targets individuals and organizations In South Korea, with the aim of gaining remote access to compromised machines
How they operate
zgRAT has been identified in spam campaigns where emails carried malicious attachments. When these attachments were opened, they introduced malware such as Agent Tesla RAT or FakeBat onto the device, subsequently infecting it with zgRAT.
Once deployed, zgRAT enables the attacker to remotely control the compromised machine, conduct keylogging activities, exfiltrate sensitive data, and execute additional malicious payloads.
