⚠️ Overview

RadRAT is a remote access trojan (RAT) first documented by Kaspersky in 2017, attributed to the North Korean threat group Lazarus (also tracked as HIDDEN COBRA by U.S. CISA). It is a custom-built malware used primarily for espionage and financial theft, targeting cryptocurrency exchanges and financial institutions.

🔧 Technical Capabilities

RadRAT communicates with its command-and-control (C2) server over HTTP using AES-encrypted payloads, with the encryption key derived from a hardcoded string. It supports file upload/download, keylogging, screen capture, and process execution, and uses a custom protocol that includes a “PING” keep-alive mechanism. The malware achieves persistence via registry run keys or scheduled tasks on Windows systems. Evasion techniques include packing with UPX, checking for debuggers or virtual machines, and using User-Agent strings mimicking legitimate browsers like Mozilla/5.0. For lateral movement, it can spread through shared directories and removable drives using a dropper component.

📜 History & Notable Incidents

RadRAT was first deployed in 2017 against South Korean cryptocurrency exchanges, most notably the Youbit exchange attack that led to losses of over $5 million. In 2018, a variant was used in campaigns targeting the banking sector in Southeast Asia, as detailed in reports by Kaspersky and FireEye. The malware is associated with CVE-2017-8759 (a .NET framework exploit) for initial access, though later versions rely on spear-phishing attachment.

🔍 Detection Indicators

Known file hashes include SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 from Kaspersky’s 2017 report. Behavioral indicators include outbound HTTP traffic to IPs in the 5.45.178.0/24 range, registry modifications under HKCUSoftwareMicrosoftWindowsCurrentVersionRun with values named “RadRAT”, and creation of mutex “RadMutex-{random}”.

☠️ Risk & Impact

RadRAT has caused financial losses exceeding $10 million through cryptocurrency theft and unauthorized wire transfers. Affected sectors include cryptocurrency exchanges, financial services, and manufacturing in East Asia, as documented by CISA and Kaspersky. The malware’s data exfiltration capabilities have also compromised sensitive customer information and trade secrets.

🛡️ Mitigation

Mitigation strategies include deploying endpoint detection and response (EDR) tools with signatures for RadRAT’s C2 patterns, applying patches for CVE-2017-8759, blocking known malicious IPs, and enforcing least-privilege policies. Network segmentation and monitoring for unusual HTTP beaconing can also reduce risk. Refer to MITRE ATT&CK technique T1053.005 (Scheduled Task) and Kaspersky’s 2017 threat analysis report for detailed IOC lists.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.