InnaputRAT

InnaputRAT is a Remote Access Trojan (RAT) malware that has been distributed by threat actors using phishing techniques and the Godzilla Loader. The malware, capable of exfiltrating files from victim machines, was identified in campaigns where it beaconed to live C2 as of March 26, 2018. The threat actors used phishing and downloader(s) to install InnaputRAT on the target's machine without their knowledge. This campaign shared a common malware payload, InnaputRAT, which was found communicating with top domains. Upon analyzing the original infrastructure, additional instances of the InnaputRAT payload were identified on further infrastructure. The most recent variant of InnaputRAT, detected on March 13, 2018, showed similar characteristics to previous samples, including sharing the same C2s, the same NeutralApp.exe name, and the same Registry Key creation. This consistency in attributes across samples suggests an evolution of the InnaputRAT malware over time. The infrastructure and registrants tied to the distribution of InnaputRAT were all associated with the common malware payload. The identification of this recent version of InnaputRAT was made possible through initial phishing campaigns, infrastructure correlation, and binary analysis. The continuous evolution of InnaputRAT highlights the persistent threat posed by such malware and underscores the importance of maintaining robust cybersecurity measures to protect against these evolving threats.