CetaRAT Trojan Uses Delayed Activation to Evade Security

The CetaRAT is a Remote Access Trojan (RAT) whose development and usage is attributed to an unknown Advanced Persistent Threat (APT) group. However, it is possible that the criminals behind it might be sharing tools with other groups, since the CetaRAT was previously involved in a campaign operated by the Operation SideCopy APT.

CetaRAT infections usually occur through spearphishing emails that contain a dangerous attachment. Of course, the file is disguised to look like a harmless document, invoice or archive that the victim will not deem to be suspicious. If they open the malicious file, they might be prompted to grant it certain permissions that will lead to the execution of a macro script, and the delivery of the CetaRAT payload.

Politics-related Phishing Messages Spread the CetaRAT

The phishing messages delivering the CetaRAT usually focus on politics-related topics in the region of the victim – e.g. India-China relations, or Ministry of External Affairs documentation. The way that the CetaRAT runs on infected machines is also very intriguing. Instead of initializing the malicious module immediately, the threat will drop its files in the Startup directory, and then initiate a script to command the machine to restart after some time. This delayed execution may enable the CetaRAT to avoid certain security features.

The primary focus of this Remote Access Trojan is to exfiltrate data from the victim's machine, and transfer it to the server of the attackers. The criminals are also able to execute a long list of remote commands:

  • Download and execute a file.
  • Manage the file system.
  • Rename files.
  • Execute remote commands.
  • Grab screenshots.
  • Manage running processes.

Victims in the regions affected by the CetaRAT attack can enhance their security by staying vigilant for suspicious emails that urge them to view an attachment. In addition to this, using an up-to-date antivirus solution is the best way to deter malware attacks.

November 4, 2021
Loading...

Cyclonis Backup Details & Terms

The Free Basic Cyclonis Backup plan gives you 2 GB of cloud storage space with full functionality! No credit card required. Need more storage space? Purchase a larger Cyclonis Backup plan today! To learn more about our policies and pricing, see Terms of Service, Privacy Policy, Discount Terms and Purchase Page. If you wish to uninstall the app, please visit the Uninstallation Instructions page.

Cyclonis Password Manager Details & Terms

FREE Trial: 30-Day One-Time Offer! No credit card required for Free Trial. Full functionality for the length of the Free Trial. (Full functionality after Free Trial requires subscription purchase.) To learn more about our policies and pricing, see EULA, Privacy Policy, Discount Terms and Purchase Page. If you wish to uninstall the app, please visit the Uninstallation Instructions page.