‘Saefko’ Multi-Layered RAT Can Spread via USB Drives

Security researchers from Zscaler have found a new remote access Trojan (RAT) for sale on the Dark Web that includes multiple functions and is able to spread via removable USB drives.

Dubbed Saefko, the backdoor remains in the background and executes every time a user logs in. The malware was designed to fetch Chrome browsing history for specific types of activities, send data to the command and control (C&C) server, and execute commands received from the C&C.

The RAT’s browsing history harvesting targets activities involving credit cards, business, social media, gaming, cryptocurrency, shopping, and the like. Upon receiving commands from the C&C, it can take screenshots, log keystrokes, record videos, and perform other actions as well, including downloading and executing additional payloads. 

Upon infection, the malware copies itself to two AppData directories, then also creates a startup key to ensure it is executed at each login (the key is different for accounts with administrative privileges), Zscaler reveals. 

The malware then checks whether the system has an active Internet connection and attempts to identify whether the system has any vital information. 

The threat searches the collected browsing history and counts entries found in several categories, such as credit card possibility, gaming activity value, crypto-currency value, Instagram activity, Facebook activity, YouTube activity, Google+ activity, Gmail activity, shopping activity, and business value.

The RAT can collect additional user application data, including IRC information (channel name, nickname, password, communication port, server name and uptime), system uptime, machine architecture, number of crypto/business/payment/etc. sites visited, country code, IP address, and geographic location of the machine, and captures screenshots. 

All of the collected data is then sent to the C&C server, after which the RAT waits an OK response. When it arrives, the malware begins a ‘StartServices’ function that has four different infection modules, namely HTTPClinet, IRCHelper, KEYLogger, and StartLocalServices (for USB spreading). 

The RAT can send a request for a task, which it receives in the form of a URL to download a new payload from, can use the SetWindowsHookEx API for capturing keystrokes, and can connect to an IRC server to receive commands (to download files, execute commands, open URLs, send system information, capture screenshots, get system location, or uninstall).

The threat can also spread via removable USB drives, by copying itself to them and creating lnk files for every file and directory on the drives, but pointing to a file that executes the malware, which allows it to further infect systems.

The security researchers also discovered on a forum an ad for a cracked Saefko RAT tool, which apparently is “a multi-protocol, multi-operating system remote administration tool that can be used to launch the malware on Windows and Android devices.” 

Related: New “LookBack” Malware Used in Attacks Against U.S. Utilities Sector

Related: New Attack Delivers FlawedAmmyy RAT Directly in Memory