P8RAT

P8RAT, also known as GreetCake and HEAVYPOT, is a highly sophisticated fileless malware introduced in a campaign by the threat actor Ecipekac. It is part of a multi-layer loader module designed to deliver various payloads including SodaMaster (also referred to as DelfsCake, dfls, and DARKTOWN), P8RAT itself, and FYAnti (known as DILLJUICE stage2) which subsequently loads QuasarRAT. This malware infects systems through suspicious downloads, emails, or websites, often without user knowledge, and can steal personal information, disrupt operations, or hold data hostage for ransom. Significant changes were made to P8RAT in December 2020, shortly after Symantec and LAC published blog posts about it on November 17, 2020, and December 1, 2020, respectively. Unlike previous malware instances used by APT10 such as LilimRAT, Lodeinfo, and ANEL, P8RAT and SodaMaster do not contain a malware version number. Based on the primary features of P8RAT and SodaMaster backdoors, it's believed that these modules serve as downloaders for further malware, although additional malicious software has yet to be obtained during investigations. The purpose of the SodaMaster module, similar to P8RAT, is to download and execute payloads like DLL or shellcode. Both P8RAT and SodaMaster are unique fileless malwares that form part of Ecipekac’s payloads. The complexity of this multi-layer malware named Ecipekac and its associated payloads highlight the advanced nature of the threats posed by such malicious software.