MarkiRAT

Malware Profile Updated 24 days ago
Download STIX
Preview STIX
MarkiRAT is a malicious software (malware) designed to exploit and damage computers or devices without the user's knowledge. This malware is deployed through suspicious downloads, emails, or websites, and once inside a system, it can steal personal information, disrupt operations, or even hold data hostage for ransom. One of its unique variants intercepts the execution of applications like Telegram and Chrome, launching the malware along with these programs. When 'data.exe' is initiated as a result of starting Telegram, the usual deployment logic is bypassed, and the malware directly executes the real application together with the MarkiRAT payload. This malware has been observed to contain a consistent PDB path ‘D:\mklgs\mfcdownl\Release\mfcdownl.pdb’, which is similar across all its variants, suggesting a common authorship. It communicates with a command-and-control (C2) server behind the domain 'microsoft.com-view[.]space', a trait also seen in other recent MarkiRAT samples. The core functions of the malware remain consistent across its versions, except for the methods used for deployment on the victim's machine. MarkiRAT exhibits a wide range of malicious capabilities including recording keystrokes, capturing clipboard content, providing file download and upload capabilities, and executing arbitrary commands on the victim's machine. A recently discovered variant acts as a downloader that follows a similar convention to the other MarkiRAT implants. In this case, the downloaded PE file ('chrome.txt'/'mklgchrome') gets executed each time the user starts Chrome, thereby running the real Chrome application as well as executing the MarkiRAT payload. This report aims to provide more details on these findings and an analysis of the mechanics of the MarkiRAT malware.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the MarkiRAT Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
MITRE
a year ago
Ferocious Kitten: 6 years of covert surveillance in Iran