CetaRAT Trojan Uses Delayed Activation to Evade Security
The CetaRAT is a Remote Access Trojan (RAT) whose development and usage is attributed to an unknown Advanced Persistent Threat (APT) group. However, it is possible that the criminals behind it might be sharing tools with other groups, since the CetaRAT was previously involved in a campaign operated by the Operation SideCopy APT.
CetaRAT infections usually occur through spearphishing emails that contain a dangerous attachment. Of course, the file is disguised to look like a harmless document, invoice or archive that the victim will not deem to be suspicious. If they open the malicious file, they might be prompted to grant it certain permissions that will lead to the execution of a macro script, and the delivery of the CetaRAT payload.
Politics-related Phishing Messages Spread the CetaRAT
The phishing messages delivering the CetaRAT usually focus on politics-related topics in the region of the victim – e.g. India-China relations, or Ministry of External Affairs documentation. The way that the CetaRAT runs on infected machines is also very intriguing. Instead of initializing the malicious module immediately, the threat will drop its files in the Startup directory, and then initiate a script to command the machine to restart after some time. This delayed execution may enable the CetaRAT to avoid certain security features.
The primary focus of this Remote Access Trojan is to exfiltrate data from the victim's machine, and transfer it to the server of the attackers. The criminals are also able to execute a long list of remote commands:
- Download and execute a file.
- Manage the file system.
- Rename files.
- Execute remote commands.
- Grab screenshots.
- Manage running processes.
Victims in the regions affected by the CetaRAT attack can enhance their security by staying vigilant for suspicious emails that urge them to view an attachment. In addition to this, using an up-to-date antivirus solution is the best way to deter malware attacks.