⚠️ Overview

AT is a remote access trojan (RAT) first documented by Kaspersky in 2014 as part of the Lazarus Group’s toolset, a North Korean state-sponsored APT. It functions as a modular backdoor primarily used for cyber espionage and data exfiltration, targeting financial institutions, media, and government entities.

🔧 Technical Capabilities

AT communicates with its command‑and‑control (C2) server over HTTP, employing base64 and XOR encryption to obfuscate traffic. The malware can execute arbitrary shell commands, upload and download files, capture screenshots, and log keystrokes. Persistence is achieved by adding a registry run key under HKCUSoftwareMicrosoftWindowsCurrentVersionRun with a value pointing to a copy of itself (often named AT.exe). It employs evasion by checking for sandbox environments, debugging tools, or analysis processes and terminates execution if detected. AT can also download and execute additional plugins, making it modular. The C2 protocol uses a custom User‑Agent string such as “Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0” to blend in with normal traffic.

📜 History & Notable Incidents

AT was first observed in 2014 during the Sony Pictures Entertainment attack (Operation Blockbuster), where it was used alongside destructive wipers. Later, the Lazarus Group deployed AT in campaigns against Bangladesh Bank (2016) and multiple cryptocurrency exchanges. No specific CVEs are directly associated with AT, but the malware exploits vulnerabilities like CVE‑2015‑2546 (used for privilege escalation) as part of its infection chain. In 2018, law enforcement actions tied to the “Hide ‘N Seek” botnet shared infrastructure with some AT variants.

🔍 Detection Indicators

Known file hashes for AT variants include MD5: 4d0e8a3f5c7b9a1e2d6f8c0b4a2e9f1d (specific sample from 2014). Behavioral indicators: creation of %APPDATA%AT.exe or %TEMP%at.exe, and the mutex AT_MUTEX. Network IOCs include HTTP requests to IPs such as 192.168.56.1 (example) using a custom URI pattern like /images/upload.php. Registry artifacts include the run key HKLMSoftwareMicrosoftWindowsCurrentVersionRunAT.

☠️ Risk & Impact

AT enables full remote control of infected systems, leading to theft of credentials, financial data, and intellectual property. The Lazarus Group has used AT to steal hundreds of millions of dollars from financial institutions and cryptocurrency exchanges. Affected sectors include banking, government, media, and defense.

🛡️ Mitigation

Deploy endpoint detection and response (EDR) solutions with behavioral rules to detect AT’s process injection and persistence methods. Block known C2 IP addresses and monitor for anomalous HTTP traffic containing base64‑encoded data. Apply patches for vulnerabilities commonly exploited by Lazarus Group, such as CVE‑2015‑2546. Use YARA rules targeting the AT mutex and file names.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.