Deed Rat

Deed RAT is a sophisticated malware associated with the Space Pirates group, known for its ability to encapsulate its protocol in HTTP, HTTPS, and DNS. It stores all its data, including configuration and plugins, in the system registry and collects information about in-use proxies through network sniffing. Notably, Deed RAT can detect and use a proxy to connect to its Command and Control (C2) server. The control server, ftp.microft.dynssl.com, is directly linked to the infrastructure of the Space Pirates group, indicating a significant threat level posed by this malware. The Space Pirates toolkit features unique downloaders and several previously unencountered backdoors, presumably specific to the group. These include MyKLoadClient, BH_A006, and Deed RAT. An additional tool in their arsenal is Masol RAT, a cross-platform tool used against Linux servers from Southeast Asian governments. Also noteworthy is SnappyBee, also known as Deed RAT, a modular backdoor that is considered the successor to ShadowPad. This malware was previously revealed by Postiv Technologies and is primarily executed through DLL sideloading. Lateral movement within infected networks is performed by the initial backdoor, with additional backdoors such as Zingdoor and SnappyBee (Deed RAT) being installed on other machines within the network. Deed RAT is also capable of gathering the language code identifier (LCID) during system information collection, adding another layer of complexity to its operations. The observed IP addresses associated with Deed RAT are 45.76.145.22, 103.27.109.234, and 108.160.134.113. The combination of these advanced capabilities makes Deed RAT a potent threat to cybersecurity, requiring robust countermeasures.