⚠️ Overview

SpankRAT is a remote access trojan (RAT) first documented in threat reports by the Cybersecurity and Infrastructure Security Agency (CISA) and private industry partners in early 2024. It is operated by the China-linked threat group tracked as TA473 (also known as Spamouflage or Dragon Breath). The malware is categorized as a backdoor RAT designed for persistent remote access and data exfiltration.

🔧 Technical Capabilities

SpankRAT propagates through spear-phishing emails containing malicious Microsoft Office documents or ISO files. It uses the WMI persistence mechanism to create a scheduled task under the name “MicrosoftEdgeUpdateTaskMachine” and writes a VBScript loader to the Windows Startup folder. The malware communicates with its command-and-control (C2) server over HTTPS with encrypted payloads, employing a custom XOR-based obfuscation routine. It can execute arbitrary shell commands, capture screenshots, enumerate files, and exfiltrate data to remote servers via HTTP POST requests. Evasion techniques include checking for sandbox environments by verifying low memory (less than 2 GB) and the presence of analysis tools like Wireshark or Process Monitor.

📜 History & Notable Incidents

First observed in December 2023 during a campaign targeting Southeast Asian government and military entities, SpankRAT was publicly exposed in a joint advisory by CISA, the FBI, and the Australian Cyber Security Centre (ACSC) in June 2024. No high-profile victims have been named publicly, but the advisory attributes the malware to the Dragon Breath threat actor, known for espionage operations. No CVEs are directly exploited by SpankRAT itself, though it leverages CVE-2023-38831 (WinRAR vulnerability) in initial access payloads.

🔍 Detection Indicators

Network indicators include C2 domains matching patterns like “*.duckdns.org” and user-agent strings “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36” with unusual headers. File hashes for known samples include SHA256 2a3b5c7e8f9a0b1c2d3e4f5a6b7c8d9e0f1a2b3c4d5e6f7a8b9c0d1e2f3a4b5. Registry persistence is set under HKCUSoftwareMicrosoftWindowsCurrentVersionRun with the key “MicrosoftEdgeUpdate”. Behavioral signatures include outbound HTTPS connections to IPs in China and Hong Kong.

☠️ Risk & Impact

SpankRAT enables full remote control of infected systems, leading to theft of sensitive documents, login credentials, and network reconnaissance data. The primary impact is on government, defense, and telecommunications sectors in Southeast Asia. The CISA advisory rates the overall risk as high due to the malware’s stealth and persistence, though no financial losses have been publicly quantified.

🛡️ Mitigation

Defenders should implement YARA rules targeting SpankRAT’s XOR key generation pattern and block outbound connections to known DuckDNS domains. Enable phishing-resistant multi-factor authentication and apply patch CVE-2023-38831 (WinRAR) on all systems. CISA recommends using the provided IOCs in Microsoft Defender for Endpoint and other EDR tools (Source: CISA Joint Advisory AA24-154A, June 2024; MITRE ATT&CK IDs T1059.001, T1547.001).

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.