Financially-motivated Threat Actors Use the Klingon RAT

Scammers Abuse Zelle to Steal Money

Cybercriminals and malware developers experiment with all sorts of tricks and innovations to try and make their implants or operations more difficult to spot. Over the past three years, there has been an influx of newly built malware that was developed using the Google Go Language (Golang.) Golang, similar to the C programming language, is preferred by cybercriminals for one sole reason – it might help them confuse automatic security tools and trick them into permitting the execution of malicious code. One of the new threats abusing the use of Golang is called the Klingon RAT (Remote Access Trojan.)

Custom-built Klingon RAT Used to Steal Financial Information

The creators of the Klingon RAT appear to use it privately, and they are unlikely to share it with other cybercrime organizations. The primary purpose of Klingon RAT is to obtain financial data from the compromised system and, eventually, allow the operators to steal money or perform fraudulent transactions. The Klingon RAT also possesses the ability to terminate specific security features of Windows, as well as the processes of some antivirus tools. Unfortunately, there is not enough information about the exact tricks and methods being used to propagate the Klingon RAT payload.

Once the Klingon RAT infiltrates a system successfully, it will drop its files in the %APPDATA% subfolder. Some instances of the RAT appear to hide their components by using legitimate-sounding names like 'updater10.exe.' The threat then gains persistence by setting up registry run keys or creating a new scheduled task.

One of the peculiar things about the Klingon RAT is that it abuses multiple known vulnerabilities to bypass the Windows User Account Control (UAC) – it starts with the most popular method of doing so and then proceeds to the next exploit if the previous one fails. The functionality of the Klingon RAT is not spectacular compared to commercial Remote Access Trojans. Its operators can execute PowerShell commands through escalated privileges, update the payload, open a remote desktop connection, or deploy additional malware. This is more than enough to help criminals reach their goals.

Take preventive measures to protect yourself from the Klingon RAT by using a reputable anti-malware software suite and firewall services. Furthermore, make yourself familiar with the most general safe Web browsing tips, which could help you steer away from potentially harmful files and websites.

June 22, 2021