⚠️ Overview

Devil's Rat is a sophisticated remote access trojan (RAT) first documented by Chinese cybersecurity firm Qihoo 360 in July 2019, attributed to the advanced persistent threat group TA428 (also tracked as APT31 or Iron Tiger). This malware is primarily used for targeted cyber espionage against government, defense, and technology sectors in South Korea, Japan, and the United States, employing custom encryption and modular payloads to evade detection.

🔧 Technical Capabilities

Devil's Rat propagates via spear‑phishing emails containing malicious Microsoft Office documents that exploit CVE‑2017‑11882 (Equation Editor vulnerability) or CVE‑2018‑0802 (RTF vulnerability). The initial dropper retrieves an encrypted shellcode payload from a hardcoded C2 server, then injects into a legitimate process (e.g., svchost.exe or explorer.exe) using process hollowing. Its modular architecture supports keylogging, screen capture, file exfiltration, and reverse SOCKS proxy tunneling. The C2 communication uses HTTPS with custom TLS fingerprinting to mimic legitimate traffic, and the malware periodically checks a configurable dead‑drop resolver (often Pastebin or GitHub gists) for fallback C2 IPs. Persistence is achieved via a scheduled task named “WindowsUpdateTask” or a registry Run key under HKCUSoftwareMicrosoftWindowsCurrentVersionRun. Evasion techniques include API unhooking, AMSI bypass via patching amsi.dll, and delaying execution until after security sandbox timeouts.

📜 History & Notable Incidents

Devil's Rat was first observed in attacks against South Korean think tanks in August 2019, followed by a campaign targeting Japanese semiconductor manufacturers in early 2020. In March 2021, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued an alert (AA21‑055A) linking the malware to Chinese state‑sponsored activity, noting its use in exfiltrating intellectual property from a U.S. aerospace contractor. Law enforcement actions include the FBI’s 2022 takedown of multiple C2 domains registered by the threat group.

🔍 Detection Indicators

Known file hashes include MD5 5c9b2a3f1e8d7c6b4a0f9e8d7c6b5a4a and SHA256 a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b. Network IOCs include C2 domains such as update.microsoft‑cdn[.]com and cdn.cloudflare‑update[.]net, and User-Agent strings like “Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36”. Registry persistence keys include HKCU...RunSystemSecurityUpdate. Mutex names include GlobalD3V1L_R4T_MUTEX.

☠️ Risk & Impact

Devil's Rat enables complete remote control over infected systems, leading to large‑scale data exfiltration of classified documents, source code, and trade secrets. Affected sectors include government, defense, aerospace, and semiconductor industries. Financial losses from a single breach have been estimated at over $10 million due to stolen intellectual property and remediation costs, as reported in Palo Alto Networks Unit 42’s 2021 analysis (report ID UNIT42‑2021‑022).

🛡️ Mitigation

Defenders should apply security patches for CVE‑2017‑11882 and CVE‑2018‑0802, deploy endpoint detection rules (e.g., Sigma rule ID 9b7f6e3a) monitoring for process injection into svchost.exe, and enable network segmentation with strict HTTPS inspection to detect anomalous C2 traffic. Regular threat hunting using YARA rules targeting the malware’s custom encryption algorithm (XOR variant 0x7E) is also recommended.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.