Syrian Hackers Distributing Stealthy C#-Based Silver RAT to Cybercriminals

News

Jan 08, 2024NewsroomMalware / Cybercrime

Threat actors operating under the name Anonymous Arabic have released a remote access trojan (RAT) called Silver RAT that’s equipped to bypass security software and stealthily launch hidden applications.

“The developers operate on multiple hacker forums and social media platforms, showcasing an active and sophisticated presence,” cybersecurity firm Cyfirma said in a report published last week.

The actors, assessed to be of Syrian origin and linked to the development of another RAT known as S500 RAT, also run a Telegram channel offering various services such as the distribution of cracked RATs, leaked databases, carding activities, and the sale of Facebook and X (formerly Twitter) bots.

Cybersecurity

The social media bots are then utilized by other cyber criminals to promote various illicit services by automatically engaging with and commenting on user content.

In-the-wild detections of Silver RAT v1.0 were first observed in November 2023, although the threat actor’s plans to release the trojan were first made official a year before. It was cracked and leaked on Telegram around October 2023.

The C#-based malware boasts of a wide range of features to connect to a command-and-control (C2) server, log keystrokes, destroy system restore points, and even encrypt data using ransomware. There are also indications that an Android version is in the works.

Silver RAT to Cybercriminals

“While generating a payload using Silver RAT’s builder, threat actors can select various options with a payload size up to a maximum of 50kb,” the company noted. “Once connected, the victim appears on the attacker-controlled Silver RAT panel, which displays the logs from the victim based on the functionalities chosen.”

An interesting evasion feature built into Silver RAT is its ability to delay the execution of the payload by a specific time as well as covertly launch apps and take control of the compromised host.

Cybersecurity

Further analysis of the malware author’s online footprint shows that one of the members of the group is likely in their mid-20s and based in Damascus.

“The developer […] appears supportive of Palestine based on their Telegram posts, and members associated with this group are active across various arenas, including social media, development platforms, underground forums, and Clearnet websites, suggesting their involvement in distributing various malware,” Cyfirma said.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

Products You May Like

Articles You May Like

Why system resilience should mainly be the job of the OS, not just third-party applications
The complexities of attack attribution – Week in security with Tony Anscombe
THN Cybersecurity Recap: Last Week’s Top Threats and Trends (September 23-29)
Apple Releases Critical iOS and iPadOS Updates to Fix VoiceOver Password Vulnerability
ACSC and CISA Launch Critical OT Cybersecurity Guidelines

Leave a Reply

Your email address will not be published. Required fields are marked *