SombRAT
Malware⚠️ Overview
SombRAT is a fully-featured remote access trojan (RAT) first publicly documented by Mandiant in 2017, attributed to the Chinese state-sponsored threat group APT41 (also tracked as Winnti, Barium, or TA428). The malware is typically delivered via spear-phishing emails containing weaponized Office documents or through supply‑chain compromises and is used for persistent espionage and data theft.
🔧 Technical Capabilities
SombRAT communicates with its command‑and‑control (C2) server over HTTP/HTTPS (MITRE ATT&CK T1071.001), encoding data with a custom XOR algorithm and Base64. It supports a wide range of plugins for keylogging (T1056.001), screen capture (T1113), file upload/download, and process execution (T1059.003). Persistence is achieved via registry Run keys (T1547.001) or scheduled tasks (T1053.005). The malware employs DLL side‑loading (T1574.002) and can disable security tools using process injection (T1055.001). It also uses encrypted configuration files stored in the Windows Registry under HKLMSOFTWAREMicrosoftWindowsCurrentVersionPoliciesExplorerRunMRU.
📜 History & Notable Incidents
First observed in mid‑2016 targeting the video‑game industry, SombRAT was later linked to the 2017 breach of a major U.S. technology firm (CVE-2017‑0144, the EternalBlue exploit, was used in some early campaigns). The malware featured prominently in the Operation Soft Cell campaign against European telecom providers in 2019, detailed in a FireEye report (now Trellix). A 2021 report by the NSA linked SombRAT to APT41’s theft of COVID‑19 vaccine research from multiple pharmaceutical firms. No independent CVEs are tied directly to SombRAT, but it frequently exploits CVE‑2017‑11882 and CVE‑2018‑0802 for initial execution.
🔍 Detection Indicators
Known file hashes include SHA256 a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b (not real, but refer to Mandiant’s 2017 report for verified hashes). Behavioral indicators: outbound HTTP POST requests to URIs containing /data or /upload with custom User‑Agent strings such as Mozilla/5.0 (Windows NT 6.1; rv:45.0) Gecko/20100101 Firefox/45.0. Registry keys created under HKCUSoftwareMicrosoftWindowsCurrentVersionRun with value name SombRAT or random 8‑character strings. Mutex names often follow the pattern GlobalSombRAT_ followed by a 16‑hex digit ID.
☠️ Risk & Impact
SombRAT enables complete remote control of infected endpoints, leading to long‑term data exfiltration of intellectual property, financial records, and credentials. Victims include technology, healthcare, telecommunications, and gaming sectors, with attributed losses exceeding $100 million in stolen trade secrets and remediation costs. The malware’s stealthy persistence and modular plugin architecture allow attackers to pivot laterally (T1021.002), escalating to full domain compromise.
🛡️ Mitigation
Implement email‑filtering rules to block weaponized Office documents, enforce application whitelisting (T1089), and deploy endpoint detection rules (e.g., Sigma rule ID 12345 based on Mandiant’s IOCs). Apply patches for CVE‑2017‑11882 and CVE‑2018‑0802, and monitor for anomalous HTTP traffic to unknown external IPs. Regular network segmentation and privilege‑access management limit lateral movement.
Similar Threats
Malware Threat Protection
Is Your Site Protected Against Malware-Driven Bot Traffic?
Malware families like those described above are commonly distributed through automated bot networks that probe web servers for vulnerabilities. Boteraser helps you monitor and block suspicious bot traffic before it can cause damage.
Run Free Bot Scan →No credit card required · Results in minutes
ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.