MarkiRAT is a malicious software (malware) designed to exploit and damage computers or devices without the user's knowledge. This malware is deployed through suspicious downloads, emails, or websites, and once inside a system, it can steal personal information, disrupt operations, or even hold data hostage for ransom. One of its unique variants intercepts the execution of applications like Telegram and Chrome, launching the malware along with these programs. When 'data.exe' is initiated as a result of starting Telegram, the usual deployment logic is bypassed, and the malware directly executes the real application together with the MarkiRAT payload.
This malware has been observed to contain a consistent PDB path ‘D:\mklgs\mfcdownl\Release\mfcdownl.pdb’, which is similar across all its variants, suggesting a common authorship. It communicates with a command-and-control (C2) server behind the domain 'microsoft.com-view[.]space', a trait also seen in other recent MarkiRAT samples. The core functions of the malware remain consistent across its versions, except for the methods used for deployment on the victim's machine.
MarkiRAT exhibits a wide range of malicious capabilities including recording keystrokes, capturing clipboard content, providing file download and upload capabilities, and executing arbitrary commands on the victim's machine. A recently discovered variant acts as a downloader that follows a similar convention to the other MarkiRAT implants. In this case, the downloaded PE file ('chrome.txt'/'mklgchrome') gets executed each time the user starts Chrome, thereby running the real Chrome application as well as executing the MarkiRAT payload. This report aims to provide more details on these findings and an analysis of the mechanics of the MarkiRAT malware.