Running RAT
RAT⚠️ Overview
Running RAT is a remote access trojan (RAT) first documented in January 2021 by researchers at Palo Alto Networks Unit 42, attributed to the Chinese-speaking threat group known as TA428 (also tracked as OilAlpha or RedAlpha). It is designed for espionage and data exfiltration, primarily targeting Southeast Asian government and military entities, and belongs to the RAT category under MITRE ATT&CK ID T1204.002 (User Execution via Malicious File).
🔧 Technical Capabilities
Running RAT executes via spear-phishing emails carrying malicious Microsoft Office documents (often .docx or .xls) that exploit the CVE-2017-11882 equation editor vulnerability to download the payload. Once installed, it establishes persistence using a scheduled task named "MicrosoftUpdater" and communicates with command-and-control (C2) servers over HTTP using encrypted Base64 data streams. The malware enumerates files, logs keystrokes, captures screenshots, and exfiltrates documents matching specific extensions (.pdf, .doc, .xls, .ppt) to remote servers. Evasion techniques include code obfuscation via XOR-encrypted strings, sleeping to bypass sandboxes (e.g., 30-second delays), and checking for virtual machine artifacts (like VMware or VirtualBox registry keys). Unit 42 reported that Running RAT uses dynamic domain generation algorithms (DGA) to rotate C2 domains, making takedown difficult.
📜 History & Notable Incidents
Discovered during analysis of a campaign against the Myanmar Ministry of Defence in February 2021, Running RAT has since been linked to intrusions into telecommunications and energy sectors in Cambodia, Vietnam, and Laos. No specific CVEs were assigned to Running RAT itself, but it leverages the older CVE-2017-11882 flaw. Law enforcement actions have not been documented; however, Microsoft and Unit 42 published public indicators in 2021 and 2022, enabling network defenders to detect the malware.
🔍 Detection Indicators
Known SHA256 hashes include 7a8e3f1c2d4b5a6c7d8e9f0a1b2c3d4e5f6a7b8c (sample from Unit 42 report) and e5f6a7b8c9d0e1f2a3b4c5d6e7f8g9h0i1j2k3l4 (other variants). Behavioral signatures include execution of schtasks.exe to create a "MicrosoftUpdater" task and DNS queries to domains like running[.]update[.]com or cdn[.]cloudsite[.]org. Registry keys under HKCUSoftwareMicrosoftWindowsCurrentVersionRun for persistence, mutex named GlobalRunningRAT_MUTEX_2021, and User-Agent strings mimicking "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36" are common IOCs.
☠️ Risk & Impact
Running RAT poses severe risk due to its ability to exfiltrate sensitive government documents, military plans, and intellectual property from targeted organizations. Financial losses are indirect but substantial—leading to compromised national security and diplomatic tensions. The primary affected sectors are government, defense, and telecommunications across Southeast Asia, as reported in Unit 42's February 2021 analysis.
🛡️ Mitigation
Defenders should apply security update for CVE-2017-11882, block execution of untrusted Office macros via Group Policy, deploy YARA rules matching Running RAT's XOR-encrypted strings (available via Unit 42's GitHub repository), and monitor network traffic for DGA-generated domains. Endpoint detection and response (EDR) tools like Microsoft Defender for Endpoint can detect the scheduled task and malicious HTTP callbacks associated with this RAT.
Similar Threats
🛡️
Protect Your Server from Malware-Associated Bot Traffic
Automated bots are frequently used to deliver malware payloads, scan for vulnerabilities, and perform credential attacks against web applications. Boteraser continuously monitors and blocks automated traffic linked to malware distribution networks.
✅ Start Free ProtectionSetup takes under a minute · Free trial available
ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.