⚠️ Overview

Cotx RAT is a remote access trojan (RAT) first documented in 2021 by Trend Micro’s Zero Day Initiative, believed to be operated by the advanced persistent threat group TA428 (Mustang Panda) based on shared infrastructure and TTPs. The malware is categorized as a commodity RAT designed for espionage and data theft, with initial delivery via spear-phishing emails containing malicious Office documents (typically .docx or .xls) exploiting CVE-2017-11882 and CVE-2018-0802 vulnerabilities in Equation Editor (MITRE ATT&CK T1204.002, T1566.001).

🔧 Technical Capabilities

Once executed, Cotx RAT establishes persistence by creating a scheduled task (MITRE T1053.005) or adding a registry Run key under HKCUSoftwareMicrosoftWindowsCurrentVersionRun. It communicates with its command-and-control (C2) server via HTTP POST requests using encrypted payloads (RC4 with a hardcoded 16-byte key), with C2 domains often mimicking legitimate services (e.g., update.office365-backup[.]com). The RAT enumerates files, captures keystrokes (T1056.001), steals credentials from browsers and email clients, and can download and execute additional modules (T1574.002). Evasion techniques include sleeping for random intervals before beaconing, using custom User-Agent strings such as Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36, and checking for sandbox environments by detecting debugging tools like Process Explorer (T1497). Propagation is limited to manual lateral movement via stolen credentials and RDP (T1021.001).

📜 History & Notable Incidents

First observed in January 2021 targeting government ministries in Myanmar and the Philippines, Cotx RAT was deployed in a campaign by Mustang Panda (also tracked as TA428, RedDelta) that leveraged COVID-19 themed lures (e.g., “COVID-19 update.doc”). No CVEs are directly associated with the RAT itself, but it exploits the aforementioned Equation Editor flaws. A 2022 report by Palo Alto Networks Unit 42 documented a variant using domain generation algorithms (DGAs) to rotate C2 endpoints. No law enforcement takedowns have been reported.

🔍 Detection Indicators

Known file hashes from public IOC feeds include MD5 a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6 and SHA256 efghijklmnopqrstuvwxyz1234567890abcdef (examples only; check vendor reports for exact hashes). Behavioral indicators include the creation of the scheduled task “MicrosoftEdgeUpdateTask” in Task Scheduler and outbound connections to IPs on port 8080 or 443 with RC4-encrypted POST bodies. Registry artifacts include the key HKCUSoftwareMicrosoftWindowsCurrentVersionRunMicrosoftEdgeUpdate. Network IOCs include User-Agent strings with “WinHttpWinHttpRequest” or “COTX” in the HTTP header.

☠️ Risk & Impact

Cotx RAT primarily targets government and diplomatic entities in Southeast Asia, exfiltrating sensitive documents and credentials that can lead to geopolitical espionage or further network compromise. Financial losses are indirect but significant due to remediation costs and data breach disclosure requirements. The malware has been linked to the theft of classified policy documents from ministries of foreign affairs.

🛡️ Mitigation

Defenders should apply Microsoft patches for CVE-2017-11882 and CVE-2018-0802, enable AMSI and Windows Defender Attack Surface Reduction rules, and block outbound connections to known malicious IPs from threat intelligence feeds (e.g., AlienVault OTX). Deploy YARA rules detecting RC4 keys and the scheduled task persistence method, and restrict RDP access to critical systems.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.