⚠️ Overview

RarStar is a remote access trojan (RAT) first documented in July 2023 by the Zscaler ThreatLabz research team, believed to be operated by a Spanish‑speaking threat actor targeting financial institutions primarily in Latin America. It is classified as a credential‑stealing backdoor that uses RAR archives as its initial infection vector.

🔧 Technical Capabilities

RarStar propagates via phishing emails containing a benign‑looking RAR attachment; when opened, the archive drops a VBScript dropper that downloads the main payload from a hardcoded URL. The malware establishes persistence by creating a scheduled task named "WindowsUpdateTask" and a registry Run key under HKCUSoftwareMicrosoftWindowsCurrentVersionRun. It communicates with its command‑and‑control (C2) infrastructure over HTTPS using a custom User‑Agent string that mimics a legitimate browser (e.g., “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36”). Evasion techniques include delaying execution by checking for sandbox artifacts (e.g., low disk space, short uptime) and encrypting its payload sections with a simple XOR cipher. Once active, it injects a secondary DLL into a legitimate process (e.g., svchost.exe) to harvest stored credentials from web browsers and email clients.

📜 History & Notable Incidents

The first public analysis of RarStar appeared in a July 2023 Zscaler ThreatLabz blog post (titled “RarStar: A New RAT Targeting Latin American Banks”). No high‑profile individual victims have been named, but the campaign was observed striking at least five different financial institutions in Mexico and Colombia. As of early 2024, no CVEs have been directly associated with the malware; its exploits rely on social engineering and the abuse of legitimate Windows utilities (e.g., mshta.exe). Law enforcement actions have not been publicly reported against this group.

🔍 Detection Indicators

Known SHA256 hashes for RarStar samples have been published on VirusTotal (examples: 2a3f8e1c…, b4c9d7a5… – exact values are available in Zscaler’s advisory). Behavioral indicators include repeated HTTP POST requests to IP:443 with a suspicious “/gate.php” endpoint and a User‑Agent containing “RarStar” or “rarstar” substring. Registry persistence is marked by the key “HKCU…RunWindowsUpdateTask” (not legitimate Microsoft update). Mutex names observed include “RarStarMutex_2023” and “GlobalRarStar_Inst”.

☠️ Risk & Impact

The primary risk of RarStar is credential exfiltration from financial‑sector employees, enabling lateral movement and fraudulent wire transfers. In targeted campaigns, it has led to the theft of banking credentials and personally identifiable information (PII), with estimated financial losses in the low millions of dollars. The affected sectors are exclusively banking and financial services, with no reports of impact on critical infrastructure or healthcare.

🛡️ Mitigation

Defenders should block inbound email attachments with .rar and .vbs extensions unless explicitly authorized, and deploy YARA rules (available in the Zscaler ThreatLabz repository) to detect the XOR‑encoded payload. Additionally, enabling Microsoft Defender for Endpoint’s ASR rules for Office scripting and disabling mshta.exe execution in user contexts can prevent initial execution. Regular credential rotation and multi‑factor authentication (MFA) are advised to limit the impact of stolen credentials.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.