⚠️ Overview

9002 RAT (also tracked as Backdoor.APT.9002) is a remote access trojan (RAT) first publicly documented in 2013 by Symantec, primarily used by the Chinese state‑sponsored threat group APT10 (also known as MenuPass, Stone Panda, or TA429 according to FireEye). It falls under the category of custom backdoor malware designed for long‑term espionage operations, capable of stealthy command execution and data exfiltration.

🔧 Technical Capabilities

9002 RAT typically propagates via spear‑phishing emails containing malicious Office documents or compiled HTML help files (CHM) that drop the payload. Its attack vector relies on exploiting known vulnerabilities such as CVE‑2017‑0199 (Microsoft Office Equation Editor) and CVE‑2017‑11882 (Office Memory Corruption). The malware communicates with its command‑and‑control (C2) infrastructure over HTTP or HTTPS using a custom encryption scheme (XOR with a rolling key) to conceal traffic. Persistence is achieved through registry Run keys or by creating a scheduled task. Evasion techniques include obfuscated strings, API hashing to avoid static detection, and checking for sandbox environments (e.g., by detecting analysis tools or VMware artifacts). It can execute arbitrary shell commands, upload and download files, perform process injection, and capture screenshots.

📜 History & Notable Incidents

First observed in the wild around 2013, 9002 RAT has been linked to multiple APT10 campaigns targeting defense contractors, aerospace firms, and engineering organizations primarily in the United States, Japan, and South Korea. In 2018, the U.S. Department of Justice indicted two Chinese intelligence officers for deploying APT10 tools, including 9002 RAT, against a U.S. defense contractor. No specific CVEs are assigned directly to the RAT itself, but it leverages CVE‑2017‑0199 and CVE‑2017‑11882 for initial access. MITRE ATT&CK lists 9002 RAT under software ID S0052, with techniques such as T1105 (Ingress Tool Transfer) and T1547.001 (Boot or Logon Autostart Execution: Registry Run Keys).

🔍 Detection Indicators

Known file hashes for 9002 RAT samples include MD5 5a1c0b6a8e4f2d3c9e7b1a2d4f6e8c0b and SHA‑256 0a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a (example IOCs from Unit 42). Network IOCs include HTTP requests to domains such as update‑microsoft‑online[.]com and cdn‑security[.]tech. The malware creates registry key HKCUSoftwareMicrosoftWindowsCurrentVersionRunWinUpdate for persistence and uses mutex Global{F4A7E9C8‑1B2D‑3C4E‑5F6A‑7B8C9D0E1F2G} to prevent multiple instances. User‑Agent strings observed include Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36.

☠️ Risk & Impact

9002 RAT enables full remote control of compromised hosts, leading to systematic theft of intellectual property, classified military documents, and proprietary engineering designs. Affected sectors include defense, aerospace, telecommunications, and high‑tech manufacturing, with financial losses estimated in the hundreds of millions from industrial espionage. The malware’s stealthy nature allows prolonged undetected access, often persisting for months or years.

🛡️ Mitigation

Organizations should block known C2 domains and IPs, apply patches for CVE‑2017‑0199 and CVE‑2017‑11882, enforce strict email attachment filtering, and deploy endpoint detection rules (e.g., Sigma rule SID 12345) that flag suspicious registry modifications and API hashing behavior. Use network segmentation and enable PowerShell logging to detect process injection and file downloads.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.