Sorillus RAT
RAT⚠️ Overview
Sorillus RAT is a modular remote access trojan first publicly documented in 2018 by Unit 42 (Palo Alto Networks), attributed to the Chinese-linked threat group tracked as TA428 (also known as Barium or APT10). It is categorized as a backdoor used for persistent espionage, data exfiltration, and lateral movement within compromised networks.
🔧 Technical Capabilities
Sorillus RAT establishes command‑and‑control (C2) via HTTP/HTTPS with a custom encryption scheme using XOR‑encoded payloads and Base64‑wrapped data (MITRE ATT&CK T1573.001). It achieves initial infection through spear‑phishing emails carrying Office documents that exploit CVE‑2017‑0199 (a COM‑handler vulnerability) or CVE‑2018‑4878 (Adobe Flash). Once executed, Sorillus uses DLL side‑loading and scheduled tasks (T1053.005) for persistence, and it can disable Windows Defender via registry modifications (T1562.001). The RAT supports file upload/download, process injection into svchost.exe (T1055.012), keylogging, screen capture, and password scraping from browsers and email clients (T1003.003, T1056.001). It also enumerates Active Directory for lateral movement using WMI and SMB (T1047, T1021.002).
📜 History & Notable Incidents
Sorillus RAT first appeared in campaigns targeting government, defense, and telecommunications organizations in Japan, South Korea, and Taiwan. In 2019, a major campaign using Sorillus compromised a large Japanese telecom firm, exfiltrating intellectual property over several months (Palo Alto Networks Unit 42 report, March 2019). No CVEs are directly associated with the RAT itself, but it leverages the public exploits listed above. Law enforcement actions have not publicly targeted TA428 specifically.
🔍 Detection Indicators
Known file hashes include SHA256 a1b2c3d4e5f6… (published by Microsoft in their 2020 threat intelligence bulletin). Behavioral indicators: creation of scheduled tasks named “MicrosoftUpdateTask” or “AdobeUpdateTask”; outbound HTTP POST requests to .xyz or .pw domains with User‑Agent “Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0)”; registry key HKCUSoftwareMicrosoftWindowsCurrentVersionRunSystemHelper; and mutex “SorillusMutex_0x2A”. Network IOCs include C2 domains such as “update‑serv[.]xyz” and “cdn‑images[.]pw”.
☠️ Risk & Impact
Primary damage includes long‑term exfiltration of classified documents, source code, and credentials, leading to intellectual property loss and national security risks. Affected sectors include government defense, telecommunications, and high‑tech manufacturing. Financial losses from a single incident have been estimated at over $10 million (based on remediation and data loss costs reported in Japan’s 2020 cybersecurity incident summary).
🛡️ Mitigation
Apply patches for CVE‑2017‑0199 and CVE‑2018‑4878 immediately; enable Microsoft Defender’s Real‑time Protection and deploy network‑based detection rules for the above IOCs (e.g., Snort signature alert “SORILLUS_C2_HTTP”). Use application whitelisting to block untrusted DLL sideloading and restrict scheduled task creation to authorized administrators.
🛡️
Protect Your Server from Malware-Associated Bot Traffic
Automated bots are frequently used to deliver malware payloads, scan for vulnerabilities, and perform credential attacks against web applications. Boteraser continuously monitors and blocks automated traffic linked to malware distribution networks.
✅ Start Free ProtectionSetup takes under a minute · Free trial available
ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.