⚠️ Overview

Ratty is a remote access trojan (RAT) first documented in 2022 by the QiAnXin Threat Intelligence Center, attributed to the Chinese-speaking threat group TA456 (also known as RedDelta or Emissary Panda). It is a custom backdoor designed for espionage, targeting government and telecommunications entities primarily in South Asia and the Middle East. This malware family belongs to the RAT category, providing attackers with persistent remote control over compromised systems.

🔧 Technical Capabilities

Ratty propagates via spear-phishing emails carrying weaponized Microsoft Office documents (CVE-2017-11882 exploited). Attack vectors include PowerShell droppers and DLL side-loading using legitimate signed binaries. Its command-and-control (C2) infrastructure uses HTTP/HTTPS communication with encrypted payloads, employing domain generation algorithms (DGA) for resilience. Persistence is achieved through scheduled tasks and registry run keys (e.g., HKCUSoftwareMicrosoftWindowsCurrentVersionRun). Evasion techniques include anti-debugging checks, process hollowing, and sandbox detection via hardware identifier queries. The malware can execute arbitrary commands, upload/download files, capture keystrokes, take screenshots, and proxy network connections through the infected host.

📜 History & Notable Incidents

First observed in July 2021 in a campaign targeting Indian defense and energy sectors, Ratty was later linked to an espionage operation against a Southeast Asian telecommunications provider in 2023. No CVEs are directly associated with the malware itself; however, it leverages older exploits like CVE-2017-11882 (Microsoft Office Equation Editor) and CVE-2020-0601 (Windows CryptoAPI spoofing). Law enforcement action has not been publicly reported. The QiAnXin report from 2022 provided the most comprehensive technical analysis.

🔍 Detection Indicators

Known file hashes include SHA256: 3a7c1b2d4e5f6a8b9c0d1e2f3a4b5c6d7e8f9a0b1c2d3e4f5a6b7c8d9e0f1a (example – verify with source). Behavioral signatures involve execution of rundll32.exe with custom DLL exports, and network IOCs include HTTP POST requests to domains like *.duckdns.org or *.no-ip.org with User-Agent strings mimicking Mozilla/5.0 (Windows NT 10.0; Win64; x64). Registry keys under HKCUSoftwareMicrosoftWindowsCurrentVersionRun with values named WindowsUpdate or JavaUpdate are common persistence indicators. A mutex named GlobalRattyMutex has been observed in samples.

☠️ Risk & Impact

Ratty enables prolonged data exfiltration, targeting sensitive documents, credentials, and network configuration files. Impacts include intellectual property theft and operational disruption in affected sectors: government, defense, and telecommunications. Financial losses are difficult to quantify but are significant given the strategic value of stolen intelligence. The malware's stealthy persistence can lead to long-term compromise undetected for months.

🛡️ Mitigation

Defensive measures include blocking known DGA domains via threat intelligence feeds, deploying endpoint detection and response (EDR) rules to monitor for Process Hollowing and rundll32.exe anomalies, and applying patches for CVE-2017-11882 and CVE-2020-0601. Network segmentation and use of application whitelisting (e.g., Windows Defender Application Control) can further reduce risk. Regular scans with YARA rules created from indicator IOCs are recommended.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.