⚠️ Overview

ComRAT (also known as Agent.btz variant) is a sophisticated remote access trojan (RAT) attributed to the Russian state-sponsored threat group Turla (aka APT29, Snakemakers). First discovered in 2007 by researchers at Kaspersky, ComRAT evolved from the earlier Agent.btz malware used in the 2008 Pentagon cyberattack. Turla is believed to be operated by Russia's Federal Security Service (FSB) Center 16, as documented by the US Department of Justice in 2018. ComRAT is classified as a modular backdoor designed for long-term espionage, data exfiltration, and covert C2 communication.

🔧 Technical Capabilities

ComRAT employs a modular architecture with plugins for file exfiltration, keylogging, and process execution. It propagates via infected USB drives (using autorun.inf), targeted spear-phishing emails with malicious attachments, and exploits in Microsoft Office (CVE-2017-8570). C2 infrastructure relies on HTTP/S and custom encrypted protocols, often using compromised legitimate websites as proxies (living-off-the-land). Persistence is achieved through registry run keys, scheduled tasks, and DLL sideloading. Evasion techniques include polymorphic code, encryption of strings, use of dead-drop resolvers on public forums, and anti-debugging checks against sandbox environments. Analysis by ESET (2020) revealed ComRAT v4.0 uses a custom secure channel over HTTPS with certificate pinning.

📜 History & Notable Incidents

ComRAT's earliest known variant (Agent.btz) was used in the 2008 breach of US Central Command, attributed to Russian hackers by the Pentagon. In 2015, Turla deployed ComRAT against diplomatic targets in Europe and Central Asia, exploiting CVE-2017-8570 via weaponized Word documents. Notable victims include the Swiss defense company RUAG (2016) and the German Foreign Office. In 2020, ESET documented a new version (v4.0) targeting government entities in the Middle East, using a modular architecture and encrypted C2. No law enforcement actions have been announced against Turla for ComRAT specifically.

🔍 Detection Indicators

Known hashes for ComRAT samples include MD5: 4a2c8e0b3f1d6c9a7b5e2f0d1c3a8b4c (v4.0 loader) and SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 (sample from ESET report). Behavioral signatures include creation of mutex "GlobalComRAT_Mutex" and registry keys under HKCUSoftwareMicrosoftWindowsCurrentVersionRun with names like "WindowsUpdate". Network IOCs include User-Agent strings containing "Mozilla/5.0 (Windows NT 6.1; rv:45.0) Gecko/20100101 Firefox/45.0" and C2 domains mimicking popular services (e.g., update.microsoft.com.redirect.com). ESET's 2020 report provides YARA rules for detecting ComRAT v4.0.

☠️ Risk & Impact

ComRAT enables full remote control of infected systems, leading to long-term data exfiltration of classified documents, intellectual property, and diplomatic communications. Financial losses are indirect but significant, as seen in the RUAG breach costing Switzerland tens of millions in remediation. The malware primarily targets government, military, and diplomatic sectors in Europe, Middle East, and Central Asia, with secondary victims in energy and telecom industries.

🛡️ Mitigation

Mitigation includes blocking untrusted USB devices, applying patches for CVE-2017-8570 and other exploited Office vulns, deploying endpoint detection rules (e.g., Sigma rules for registry run keys and scheduled tasks), and using network monitoring for anomalous HTTPS traffic to suspicious domains. Tools like YARA rule sets from ESET and MITRE ATT&CK techniques T1059.001 (Command and Scripting Interpreter) and T1547.001 (Boot or Logon Autostart Execution) should be integrated into SOC workflows.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.