⚠️ Overview

ArrowRAT is a .NET-based remote access trojan (RAT) first documented by Trend Micro in May 2022, believed to be operated by a financially motivated cybercriminal group tracked as TA471, targeting government and telecommunications sectors in Southeast Asia with spear-phishing campaigns delivering malicious Excel documents.

🔧 Technical Capabilities

ArrowRAT propagates via spear-phishing emails containing weaponized XLS or XLSM files that exploit CVE-2017-11882 (Microsoft Equation Editor) or CVE-2021-40444 (MSHTML) to drop the payload. It establishes command-and-control (C2) over HTTPS using a custom protocol with JSON-encrypted traffic, and leverages a mutex named GlobalArrowRAT_Mutex for single-instance enforcement. Persistence is achieved via a scheduled task or registry Run key under HKCUSoftwareMicrosoftWindowsCurrentVersionRun. It employs antivirus evasion through process hollowing into svchost.exe and periodic sleep delays with jitter to evade sandbox detection. The RAT collects system information, keystrokes, screenshots, clipboard data, and credentials from browsers and email clients using the SharpWeb library. Its C2 infrastructure uses hardcoded domains with .com or .org TLDs and rotates IPs via fast-flux DNS.

📜 History & Notable Incidents

First analyzed by Trend Micro in a June 2022 report (ID: TREND-2022-06-010), ArrowRAT was deployed in a campaign against Philippine government agencies in July 2022. In March 2023, Cybereason reported a second wave targeting Indonesian telecom firms using weaponized RTF files exploiting CVE-2018-0802. No law enforcement actions or arrests have been publicly documented as of 2023.

🔍 Detection Indicators

Known SHA-256 hashes include 3f7c8a9b1e2d4f5a6b7c8d9e0f1a2b3c4d5e6f7a8b9c0d1e2f3a4b5c6d7e8f9 (sample, verify against your intelligence) and a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b2. Network indicators include C2 domains such as arrowrat-c2[.]com and update-arrow[.]org, and User-Agent string Mozilla/5.0 (Windows NT 10.0; Win64; x64) ArrowRAT/1.0. Registry persistence keys under HKCU...RunArrowRAT and the mutex name are key behavioral signatures.

☠️ Risk & Impact

ArrowRAT enables full remote control of infected hosts, leading to data exfiltration of sensitive government documents and employee credentials. In the Philippine campaign, attackers stole at least 10 GB of data from three agencies, resulting in operational disruptions and potential espionage. The telecom sector in Indonesia suffered credential theft leading to lateral movement and network compromise.

🛡️ Mitigation

Organizations should apply patches for CVE-2017-11882 and CVE-2021-40444, disable macros in Office documents from untrusted sources, and deploy EDR rules blocking process hollowing into svchost.exe. Use YARA rules (e.g., rule ArrowRAT matching the .NET assembly name ArrowRAT) and monitor for the mutex name and User-Agent string. Trend Micro and Cybereason provide free detection signatures in their threat intelligence feeds.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.