RATANKBA

RATANKBA is a form of malware, specifically designed to exploit and damage computer systems by stealthily infiltrating via suspicious downloads, emails, or websites. Once inside the system, it can steal personal information, disrupt operations, or even hold data hostage for ransom. In one instance we observed, RATANKBA was delivered as an initial payload to the victim, connecting to a legitimate but compromised website (eye-watch[.]in:443), a mobile application-selling site. From this site, a hack tool (nbt_scan.exe) was also downloaded. The malware then proceeded to search for specific IP ranges and analyze different aspects of the infected machine. A significant feature of RATANKBA is its control model that doesn't require real-time communication between the backdoor and the attacker. Instead, it retrieves and executes tasks independently, collecting information for later retrieval. Among its final payloads is a banking Trojan, TSPY_BANKER.NTE, increasing the potential harm to the infected system. The controllers of RATANKBA use the "Nimo Software HTTP Retriever 1.0" user-agent string for its communication, adding another layer of complexity to its operation. RATANKBA has been seen in two versions: Powershell and C/C++. Interestingly, about 55% of the victims of the Powershell version were located in India and neighboring countries. During our analysis, we collected a copy of the RATANKBA malware’s Lazarus Remote Controller tool, revealing a main console interface and host manipulation console, further underlining its sophisticated and damaging capabilities.