Action RAT

Malware updated a month ago (2024-11-29T13:35:14.078Z)
Download STIX
Preview STIX
Action RAT is a malicious software (malware) used by cyber threat actors to exploit and damage computer systems. This malware, written in Delphi and compiled on October 2, 2021, is part of an arsenal that includes other Remote Access Trojans (RATs) such as AllaKore RAT, Reverse RAT, and Margulas RAT. It infects systems through deceptive means such as suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside a system, Action RAT can steal personal information, disrupt operations, or hold data for ransom. The malware employs fileless payload execution via .hta files to deploy one of the associated RATs, such as AllaKore or Action Rat. Throughout the year, new attack campaigns involving Action RAT have been observed almost monthly, with evolving tactics, techniques, and procedures (TTPs). These include additional stages with Double Action RAT, a new .NET-based RAT, and uncovered instances of PowerShell remote execution. Infection typically begins with the execution of a .LNK file, which retrieves an HTML application from a remote server. This application presents a decoy while stealthily deploying the Action RAT backdoor. The malware then initiates a concatenation operation involving multiple HTML applications, ultimately resulting in the drop of an Action Rat variant whose files mimic essential Windows components. The use of Action RAT has been linked to SideCopy, an advanced persistent threat (APT) group known for targeting India and Afghanistan. This group has employed Action RAT in numerous attacks against India, using spear-phishing for initial entry and presenting research material as a decoy to plant the info-stealing malware. Detailed analysis of these campaigns and the payloads involved can be found in previous whitepapers and blog posts provided by our team.
Description last updated: 2024-05-05T02:53:07.628Z
What's your take? (Question 1 of 4)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Aliases We are not currently tracking any aliases
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Apt
Rat
Phishing
Decoy
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
Alias DescriptionAssociation TypeVotes
The SideCopy Threat Actor is associated with Action RAT. SideCopy is a Pakistani threat actor, or Advanced Persistent Threat (APT), that has been active since at least 2019, predominantly targeting South Asian countries, specifically India and Afghanistan. Its modus operandi includes the use of archive files embedded with Lnk, Microsoft Publisher, or TrojUnspecified
2
Source Document References
Information about the Action RAT Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more