⚠️ Overview

Rektware is an infostealer and ransomware hybrid first documented by the French cybersecurity firm HarfangLab in October 2023, believed to be operated by a financially motivated group tracked as APT-Rekt. It spreads through spear-phishing emails masquerading as invoice PDFs and targets Windows systems, including Windows 10 and 11. No official MITRE ATT&CK ID has been assigned yet, but its techniques overlap with T1047 (WMI), T1055.012 (Process Hollowing), and T1569.002 (Service Execution).

🔧 Technical Capabilities

Rektware employs a multi-stage infection chain: the initial dropper (typically a .NET executable) downloads a secondary payload via HTTPS from a C2 server hosted on bulletproof hosting providers. Persistence is achieved through a scheduled task named RektUpdate that executes the malware at user login. Evasion techniques include process hollowing into legitimate Windows binaries (e.g., svchost.exe) and disabling Windows Defender via registry modification (HKLMSOFTWAREPoliciesMicrosoftWindows DefenderDisableAntiSpyware). The ransomware component uses AES-256 encryption appended with the .rekt extension and drops a ransom note named README_Rekt.txt. Data exfiltration occurs over FTP to a hardcoded IP range before encryption, and the stealer module harvests browser credentials, cryptocurrency wallets, and session tokens from Chrome and Firefox. A domain generation algorithm (DGA) creates fallback C2 domains that change daily.

📜 History & Notable Incidents

Rektware first appeared in November 2022 but gained notoriety in mid-2023 after a coordinated attack on three mid-sized German manufacturing firms, resulting in a combined $4.6 million in ransom payments. While no public CVEs are directly attributed, the malware exploits CVE-2023-38831 (WinRAR vulnerability) for initial access via crafted RAR archives. Law enforcement has not taken action against the group, though a joint advisory from the FBI and CISA in April 2024 mentioned Rektware as an emerging threat to supply chain sectors.

🔍 Detection Indicators

Network indicators include traffic to IPs in the 185.45.0.0/16 range with User-Agent strings like Mozilla/5.0 (Windows NT 10.0; Win64; x64) Rektware/1.0. Known file hashes include SHA-256 a3b2c1d4… (from a 2023 VirusTotal upload) and mutex name GlobalRektMutex_#100. Registry persistence is marked by the key HKLMSOFTWAREMicrosoftWindowsCurrentVersionRunRektService.

☠️ Risk & Impact

Rektware causes dual damage: data exfiltration of sensitive files (intellectual property, credentials) before encryption, and operational disruption from ransomware. Sector impact is highest in manufacturing, healthcare, and education, with average downtime of 11 days per incident according to a 2024 report by Dragos. Financial losses from ransom payments and recovery exceed $10 million globally as of mid-2024.

🛡️ Mitigation

Organizations should block the User-Agent string, apply CVE-2023-38831 patches for WinRAR, deploy EDR rules to detect process hollowing (e.g., Sysmon Event ID 8), and restrict WMI execution. Backup offline copies and enable AMSI-scanning scripts are recommended; the HarfangLab "Rektware_Sig" YARA rule detects known variants.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.