⚠️ Overview

RCtrl is a remote access trojan (RAT) first documented by Unit 42 in January 2021, attributed to the Chinese-speaking advanced persistent threat group APT41. It is typically delivered as a second-stage payload via custom backdoors like Korplug or QuasarRAT, targeting government, healthcare, and telecommunications sectors globally. RCtrl enables full remote control of infected hosts, including file management, keystroke logging, and command execution.

🔧 Technical Capabilities

RCtrl uses a custom encrypted command and control (C2) protocol over TCP, often on port 443 or 8080, with traffic masquerading as legitimate HTTPS via a self-signed certificate. Persistence is achieved through a scheduled task named "Windows Update" and a registry run key under HKCUSoftwareMicrosoftWindowsCurrentVersionRun. The malware collects system information, enumerates active processes, and can upload/download files using a custom XOR-based encryption scheme. It employs process injection into svchost.exe or explorer.exe to evade detection, and uses a mutex named GlobalRCtrl_Mutex to ensure single instance execution. Evasion techniques include checking for sandbox artifacts like VBoxMouse.sys and delaying execution by 60 seconds.

📜 History & Notable Incidents

First observed in late 2020, RCtrl was linked to APT41’s campaign against U.S. state government networks in 2021, as reported by the U.S. CISA. The group exploited CVE-2020-0688 (Microsoft Exchange Server) and CVE-2021-26855 (ProxyLogon) for initial access. In 2022, RCtrl was used in targeted attacks against Southeast Asian telecom providers, leveraging compromised VPN credentials. No law enforcement actions have been publicly announced against the operators.

🔍 Detection Indicators

File hashes include SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 (observed sample). Network IOCs include C2 domains under *.dyndns.org and IPs in the 103.xx.xx.xx range. Registry persistence key: HKLMSOFTWAREMicrosoftWindowsCurrentVersionRunWindowsUpdate. User-Agent string: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 with custom X-Client-ID header.

☠️ Risk & Impact

RCtrl facilitates long-term intelligence gathering, exfiltrating credentials and sensitive documents via encrypted HTTPS covert channels. Affected sectors include government, healthcare, and telecommunications, with financial losses exceeding an estimated $100 million from data breaches and remediation. The malware can also deploy additional payloads like PlugX for lateral movement.

🛡️ Mitigation

Mitigation includes patching CVE-2020-0688 and CVE-2021-26855, enabling multi-factor authentication for VPN access, and deploying EDR rules to detect scheduled task creation or process injection into svchost.exe. Network signatures should monitor for the custom RCtrl C2 handshake pattern (0x01 0x02 prefix).

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.