Kaspersky’s Global Research and Analysis Team (GReAT) has discovered a new Remote Access Trojan (RAT) called GodRAT. This malware spreads through harmful screensaver files that pretend to be financial documents and is sent via Skype. Small and medium businesses (SMBs) in the UAE and Hong Kong were targeted in this attack.
The attackers used the GodRAT malware found in a client’s code on an online scanner, uploaded in July 2024. The file named GodRAT V3.5_______dll.rar also contains a builder that creates both executable and library files. This tool helps attackers hide the malicious software by choosing names of common processes (like svchost.exe, cmd.exe, wscript.exe) for injection and saving the final file in formats like .exe, .com, .bat, .scr and .pif.
To avoid being detected, the attackers used steganography, hiding harmful code in image files that look like financial data. This code downloads the GodRAT malware from a remote server. Once connected, the RAT gathers information about the operating system, local hostname, malware process name and ID, user account details, installed antivirus, and any capture driver present.
GodRAT can use extra plugins, and after installing it, attackers used the FileManager plugin to search the victim’s systems. They also deployed password stealers for Chrome and Microsoft Edge to get login details. Besides GodRAT, they used another tool called AsyncRAT to keep access for a longer time.
“GodRAT appears to be an evolution of AwesomePuppet, which was reported by Kaspersky in 2023 and is likely linked to the Winnti APT. Its distribution methods, rare command-line parameters, code similarities with Gh0st RAT, and shared artifacts — such as a distinctive fingerprint header — suggest a common origin. Despite being nearly two decades old, legacy implant codebases like Gh0st RAT continue to be actively used by threat actors, often customised and rebuilt to target a wide range of victims. The discovery of GodRAT demonstrates how such long-known tools can remain relevant in today’s cybersecurity landscape,” comments Saurabh Sharma, Security Researcher within Kaspersky’s Global Research and Analysis Team.
More information is available in a report on Securelist.com.
To stay safe, Kaspersky recommends:
- Regularly updating your operating system, browser, antivirus and other programs. Culprits tend to exploit vulnerabilities in software to compromise systems.
- To protect the company against such threats, use solutions from the Kaspersky Next product line that provide real-time protection, threat visibility, investigation and response capabilities of EDR and XDR for organizations of any size and industry.
- You can enable the ‘Show file extensions’ option in the Windows settings. This will make it much easier to distinguish potentially malicious files. As Trojans are programs, you should be warned to stay away from file extensions like “exe”, “vbs” and “scr”.You need to keep a vigilant eye on this as many familiar file types can also be dangerous. Scammers could use several extensions to masquerade a malicious file as a video, photo, or a document (like hot-chics.avi.exe or doc.scr).