Kaspersky detected a new remote access trojan targeting financial institutions through Skype messenger

The threat actor deployed a newly identified Remote Access Trojan (RAT) named GodRAT, which was found in a client’s source code on a popular online scanner, where it was uploaded in July, 2024. The archive, titled GodRAT V3.5_______dll.rar, also includes the GodRAT builder, capable of generating both executable and DLL payloads. This builder allows attackers to disguise the malicious payload by selecting legitimate process names (e.g. svchost.exe, cmd.exe, wscript.exe) for code injection and saving the final file in various formats, including .exe, .com, .bat, .scr, and .pif.

To evade detection, the attackers used steganography to embed shellcode within image files depicting financial data. This shellcode downloads the GodRAT malware from a Command-and-Control (C2) server. The RAT then establishes a TCP connection to the C2 server using the port specified in its configuration blob. It collects operating system details, local hostname, malware process name and process ID, the user account associated with the malware process, installed antivirus software, and the presence of a capture driver.

GodRAT supports additional plugins, and once installed, the attackers utilized the FileManager plugin to explore the victim’s systems and deployed password stealers targeting Chrome and Microsoft Edge to extract credentials. In addition to GodRAT, they also employed AsyncRAT as a secondary implant to maintain prolonged access.

“GodRAT appears to be an evolution of AwesomePuppet, which was reported by Kaspersky in 2023 and is likely linked to the Winnti APT. Its distribution methods, rare command-line parameters, code similarities with Gh0st RAT, and shared artifacts — such as a distinctive fingerprint header — suggest a common origin. Despite being nearly two decades old, legacy implant codebases like Gh0st RAT continue to be actively used by threat actors, often customized and rebuilt to target a wide range of victims. The discovery of GodRAT demonstrates how such long-known tools can remain relevant in today’s cybersecurity landscape,” comments Saurabh Sharma, Security Researcher within Kaspersky’s Global Research and Analysis Team.

More information is available in a report on Securelist.com.

To stay safe, Kaspersky recommends:

• Regularly updating your operating system, browser, antivirus, and other programs. Culprits tend to exploit vulnerabilities in software to compromise systems.
• To protect the company against such threats, use solutions from the Kaspersky Next product line that provide real-time protection, threat visibility, investigation and response capabilities of EDR and XDR for organizations of any size and industry.
• You can enable the ‘Show file extensions’ option in the Windows settings. This will make it much easier to distinguish potentially malicious files. As Trojans are programs, you should be warned to stay away from file extensions like “exe”, “vbs” and “scr”.You need to keep a vigilant eye on this as many familiar file types can also be dangerous. Scammers could use several extensions to masquerade a malicious file as a video, photo, or a document (like hot-chics.avi.exe or doc.scr).

About the Global Research & Analysis Team

Established in 2008, Global Research & Analysis Team (GReAT) operates at the very heart of Kaspersky, uncovering APTs, cyber-espionage campaigns, major malware, ransomware and underground cyber-criminal trends across the world. Today GReAT consists of 35+ experts working globally – in Europe, Russia, Latin America, Asia and the Middle East. Talented security professionals provide company leadership in anti-malware research and innovation, bringing unrivaled expertise, passion and curiosity to the discovery and analysis of cyberthreats.