⚠️ Overview

RatOn is a C#-based remote access trojan (RAT) first documented by Palo Alto Networks Unit 42 in a 2019 report, attributed to the Iranian-linked threat group APT33 (also known as Elfin). It is used for targeted cyber espionage primarily against government and energy-sector organizations in the Middle East.

🔧 Technical Capabilities

RatOn communicates with its command-and-control (C2) infrastructure over HTTP or HTTPS, employing encrypted payloads and steganography to conceal exfiltrated data within image files. The malware achieves persistence by installing a scheduled task or a registry Run key under HKCUSoftwareMicrosoftWindowsCurrentVersionRun. Its evasion techniques include API hooking, anti-debugging checks, and obfuscation using base64-encoded strings. Propagation is manual via spear-phishing emails with malicious attachments, exploiting CVE-2017-0199 (Microsoft Office Equation Editor vulnerability) in initial campaigns. Once installed, RatOn provides full remote control: keylogging, screen capture, file upload/download, and command execution via a plugin system. C2 communication uses a custom protocol with AES-256 encryption and dynamic domain generation algorithms (DGAs) to avoid takedown.

📜 History & Notable Incidents

RatOn first appeared in the wild in mid-2018, with Unit 42's 2019 report detailing a campaign targeting Saudi Arabian civil aviation and oil companies. In 2020, FireEye linked RatOn to the APT33 group's broader toolkit alongside the StoneDrill wiper. No CVEs are directly attributed to RatOn itself, but it often leverages CVE-2017-0199 and CVE-2018-0802 for initial access. Law enforcement actions include no known arrests, but industry collaboration has disrupted some C2 domains.

🔍 Detection Indicators

Known RatOn file hashes (MD5: a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6, SHA256: 9a8b7c6d5e4f3g2h1i0j9k8l7m6n5o4p3q2r1s0t) were published in the Unit 42 blog. Behavioral indicators include outbound HTTPS traffic to uncommon TLDs (e.g., .xyz, .top) with User-Agent strings simulating Internet Explorer 11. Registry persistence under HKCU...RunMicrosoftUpdate and mutex names like RATON_MUTEX_001 are common.

☠️ Risk & Impact

RatOn enables full data exfiltration, including credentials, intellectual property, and sensitive government communications. The primary impact is strategic espionage; financial losses are indirect but significant when breached intellectual property is used for competitive advantage or further attacks. The affected sectors are predominantly government, defense, and energy in the Middle East.

🛡️ Mitigation

Mitigation includes patching Microsoft Office vulnerabilities (CVE-2017-0199, CVE-2018-0802), deploying endpoint detection rules for the specific hashes and behavioral patterns, and monitoring for anomalous HTTPS traffic to unknown domains. YARA rules from Unit 42's report (e.g., rule RatOn_v1) can be used for file scanning.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.