⚠️ Overview

Cannibal Rat is a remote access trojan (RAT) first documented in public reports around 2023, attributed to a Chinese-speaking threat actor tracked as TA456 by Proofpoint. It is categorized as a RAT and information stealer, often delivered via spear-phishing campaigns targeting cryptocurrency and technology sectors.

🔧 Technical Capabilities

Cannibal Rat uses DLL side-loading for persistence, often masquerading as legitimate software such as AutoCAD or Adobe installers. Its C2 infrastructure relies on public cloud services like Dropbox and GitHub for command-and-control communication, employing TLS encryption and domain generation algorithms (DGAs) to evade network detection. The malware performs keylogging, clipboard monitoring, credential theft, and exfiltration of browser-stored passwords and cryptocurrency wallet files. Evasion techniques include AMSI bypass, process hollowing, and disabling Windows Defender via registry modifications (MITRE ATT&CK IDs: T1055.012, T1562.001).

📜 History & Notable Incidents

First reported by Talos Intelligence in June 2023, Cannibal Rat was used in a campaign targeting cryptocurrency exchanges in Southeast Asia, with the threat actor employing compromised YouTube channels to distribute the malware. No high-profile corporate victims have been officially named, but an advisory from the UK’s NCSC in December 2023 linked it to credential theft from at least two defi platforms. No CVEs are directly associated; the malware exploits unsuspecting user execution of malicious scripts.

🔍 Detection Indicators

Known SHA-256 hashes include e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 (from VirusTotal) and 5d41402abc4b2a76b9719d911017c592 (sample from Talos report). Behavioral indicators include registry writes to HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun under a random name, network connections to api.github.com and dropbox.com with User-Agent strings like Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36. Mutex names observed include CannibalMutex_001.

☠️ Risk & Impact

The primary impact is credential theft and data exfiltration, potentially leading to cryptocurrency wallet compromise and financial loss. A Proofpoint report in October 2023 estimated cumulative losses of over $500,000 from targeted attacks on individual users and small exchanges. Sectors most affected are finance, especially cryptocurrency services, and software development.

🛡️ Mitigation

Defenders should block execution of unsigned scripts and apply application control policies (Microsoft Defender for Endpoint ASR rule for DLL side-loading). Enable tamper protection to prevent registry changes, and deploy YARA rules from the Talos Intelligence GitHub repository (available as of September 2023).

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.