Connect with us

Hi, what are you looking for?


Malware & Threats

‘Saefko’ Multi-Layered RAT Can Spread via USB Drives

Security researchers from Zscaler have found a new remote access Trojan (RAT) for sale on the Dark Web that includes multiple functions and is able to spread via removable USB drives.

Security researchers from Zscaler have found a new remote access Trojan (RAT) for sale on the Dark Web that includes multiple functions and is able to spread via removable USB drives.

Dubbed Saefko, the backdoor remains in the background and executes every time a user logs in. The malware was designed to fetch Chrome browsing history for specific types of activities, send data to the command and control (C&C) server, and execute commands received from the C&C.

The RAT’s browsing history harvesting targets activities involving credit cards, business, social media, gaming, cryptocurrency, shopping, and the like. Upon receiving commands from the C&C, it can take screenshots, log keystrokes, record videos, and perform other actions as well, including downloading and executing additional payloads. 

Upon infection, the malware copies itself to two AppData directories, then also creates a startup key to ensure it is executed at each login (the key is different for accounts with administrative privileges), Zscaler reveals

The malware then checks whether the system has an active Internet connection and attempts to identify whether the system has any vital information. 

The threat searches the collected browsing history and counts entries found in several categories, such as credit card possibility, gaming activity value, crypto-currency value, Instagram activity, Facebook activity, YouTube activity, Google+ activity, Gmail activity, shopping activity, and business value.

The RAT can collect additional user application data, including IRC information (channel name, nickname, password, communication port, server name and uptime), system uptime, machine architecture, number of crypto/business/payment/etc. sites visited, country code, IP address, and geographic location of the machine, and captures screenshots. 

Advertisement. Scroll to continue reading.

All of the collected data is then sent to the C&C server, after which the RAT waits an OK response. When it arrives, the malware begins a ‘StartServices’ function that has four different infection modules, namely HTTPClinet, IRCHelper, KEYLogger, and StartLocalServices (for USB spreading). 

The RAT can send a request for a task, which it receives in the form of a URL to download a new payload from, can use the SetWindowsHookEx API for capturing keystrokes, and can connect to an IRC server to receive commands (to download files, execute commands, open URLs, send system information, capture screenshots, get system location, or uninstall).

The threat can also spread via removable USB drives, by copying itself to them and creating lnk files for every file and directory on the drives, but pointing to a file that executes the malware, which allows it to further infect systems.

The security researchers also discovered on a forum an ad for a cracked Saefko RAT tool, which apparently is “a multi-protocol, multi-operating system remote administration tool that can be used to launch the malware on Windows and Android devices.” 

Related: New “LookBack” Malware Used in Attacks Against U.S. Utilities Sector

Related: New Attack Delivers FlawedAmmyy RAT Directly in Memory

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Malware & Threats

A vulnerability affecting IBM’s Aspera Faspex file transfer solution, tracked as CVE-2022-47986, has been exploited in attacks.


The recent ransomware attack targeting Rackspace was conducted by a cybercrime group named Play using a new exploitation method, the cloud company revealed this...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...