Threat Overview – Spectre RAT

The Spectre remote access trojan (RAT) is modular malware that was first seen in September of 2020, being available as a malware-as-a-service (MaaS) program. Spectre RAT is developed in C++ and gives the operator the means to employ techniques such as remotely executing commands and payloads, manipulation of processes, downloading and uploading of files, and stealing information. The RAT is made up of three parts, or modules; the core bot module, the stealer module, and the hidden applications module. Since the RAT is available as a malware-as-a-service to prospective operators, Intel 471‘s threat intelligence shows the malware has impacted entities within industries such as cryptocurrency, cloud services, gaming, marketing and sales consulting, and telecommunications. With recent campaign activity targeting United States industries being discovered and the evolution of Spectre RAT since its inception, it is important that analysts assess, understand and prepare for this remote access trojan going forward.

Intel 471 References:
TITAN Finished Intel Report: New phishing attacks linked to The Com deploy Spectre RAT malware

Get your FREE Community Account today on the HUNTER Platform and get access to behavioral threat hunting content for your SIEM, EDR, NDR, and XDR platforms!

Hunt Packages

WMIC Windows Internal Discovery and Enumeration

This will identify the potentially malicious use of WMI (Windows Management Interface) utilized for local enumeration and discovery of a host.

ACCESS HUNT PACKAGE

Autorun or ASEP Registry Key Modification

A common method that adversaries and malicious software alike achieve persistence is by adding a program to the startup folder or referencing it with a Registry run key. Adding an entry to the \”run keys\” in the Registry or startup folder allows the referenced program to be executed when a user logs in. They are often utilized for legitimate purposes, however when utilized maliciously the key name/value is often obviously suspicious, such as random names, or objects loaded from temp or public folders.

ACCESS HUNT PACKAGE

Possible Delayed Execution in CommandLine Argument Using Ping.exe and Loopback Address

This content is designed to detect when ping.exe contains a flag (-n) with a high number and targets any loopback address. This technique is sometimes used to delay the rest, or a chained command, of the command from executing.

ACCESS HUNT PACKAGE

LNK File Created in Startup Folder – Potential Indirect Malware Execution

This package is designed to identify shortcut (.lnk) files that are created in the Window’s Start Up folder. This is a technique utilized by malware and attackers to cause their program to execute when a user logs in. A LNK file is utilized to bypass security controls and identification through typical means, such as utilizing an executable or other executable file, where suspicion would be drawn to the executable file. The startup folder path for the current user is C:\\Users\\[Username]\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup. The startup folder path for all users is C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp.\n

ACCESS HUNT PACKAGE

Suspicious Executable or Scripts Launched in Common Configuration or System Related Folders

This Hunt Package is intended to identify when suspicious executables or scripts are launched in common configuration or system function related folders. This behavior can be indicative of an adversary attempting to hide their payload as a \”legitimate\” file or script. A common technique used by various threat actors, including APT groups, to evade detection and maintain persistence on a compromised system is to create such files within the common system folders.

ACCESS HUNT PACKAGE

File Created In Startup Folder

This package is designed to detect the activity around a file being created and put in the Windows Startup Folder.

ACCESS HUNT PACKAGE

Scheduled Task Executing from Abnormal Location

This hunt package is designed to capture activity associated with a scheduled task which includes abnormal locations in its details for execution. This is often a mark of persistence or malicious tasks created by malware or attackers. details.

ACCESS HUNT PACKAGE

Join our newsletter

Discover More!