Threat Overview – Spectre RAT
The Spectre remote access trojan (RAT) is modular malware that was first seen in September of 2020, being available as a malware-as-a-service (MaaS) program. Spectre RAT is developed in C++ and gives the operator the means to employ techniques such as remotely executing commands and payloads, manipulation of processes, downloading and uploading of files, and stealing information. The RAT is made up of three parts, or modules; the core bot module, the stealer module, and the hidden applications module. Since the RAT is available as a malware-as-a-service to prospective operators, Intel 471‘s threat intelligence shows the malware has impacted entities within industries such as cryptocurrency, cloud services, gaming, marketing and sales consulting, and telecommunications. With recent campaign activity targeting United States industries being discovered and the evolution of Spectre RAT since its inception, it is important that analysts assess, understand and prepare for this remote access trojan going forward.
Intel 471 References:
TITAN Finished Intel Report: New phishing attacks linked to The Com deploy Spectre RAT malware
Get your FREE Community Account today on the HUNTER Platform and get access to behavioral threat hunting content for your SIEM, EDR, NDR, and XDR platforms!
Hunt Packages
WMIC Windows Internal Discovery and Enumeration
This will identify the potentially malicious use of WMI (Windows Management Interface) utilized for local enumeration and discovery of a host.
Autorun or ASEP Registry Key Modification
A common method that adversaries and malicious software alike achieve persistence is by adding a program to the startup folder or referencing it with a Registry run key. Adding an entry to the \”run keys\” in the Registry or startup folder allows the referenced program to be executed when a user logs in. They are often utilized for legitimate purposes, however when utilized maliciously the key name/value is often obviously suspicious, such as random names, or objects loaded from temp or public folders.
Possible Delayed Execution in CommandLine Argument Using Ping.exe and Loopback Address
This content is designed to detect when ping.exe contains a flag (-n) with a high number and targets any loopback address. This technique is sometimes used to delay the rest, or a chained command, of the command from executing.
LNK File Created in Startup Folder – Potential Indirect Malware Execution
This package is designed to identify shortcut (.lnk) files that are created in the Window’s Start Up folder. This is a technique utilized by malware and attackers to cause their program to execute when a user logs in. A LNK file is utilized to bypass security controls and identification through typical means, such as utilizing an executable or other executable file, where suspicion would be drawn to the executable file. The startup folder path for the current user is C:\\Users\\[Username]\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup. The startup folder path for all users is C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp.\n
Suspicious Executable or Scripts Launched in Common Configuration or System Related Folders
This Hunt Package is intended to identify when suspicious executables or scripts are launched in common configuration or system function related folders. This behavior can be indicative of an adversary attempting to hide their payload as a \”legitimate\” file or script. A common technique used by various threat actors, including APT groups, to evade detection and maintain persistence on a compromised system is to create such files within the common system folders.
File Created In Startup Folder
This package is designed to detect the activity around a file being created and put in the Windows Startup Folder.
Scheduled Task Executing from Abnormal Location
This hunt package is designed to capture activity associated with a scheduled task which includes abnormal locations in its details for execution. This is often a mark of persistence or malicious tasks created by malware or attackers. details.