⚠️ Overview

tRat is a remote access trojan (RAT) first publicly documented in May 2020 by Cybereason Nocturnus, attributed to the Iranian APT group Phosphorus (also known as APT35, Charming Kitten). It functions as a lightweight C2 implant for espionage, used primarily against academic, government, and telecommunications targets in the Middle East and Europe.

🔧 Technical Capabilities

tRat employs encrypted communication over HTTPS with a JSON-based protocol to a hardcoded C2 server; it uses AES-256-CBC for payload encryption and Base64 encoding for network traffic. Persistence is achieved via registry Run keys or scheduled tasks, while evasion includes process hollowing into svchost.exe and dynamic API resolution to bypass static detection. The malware supports file upload/download, command execution, screenshot capture, keylogging, and reconnaissance of network shares and domain controllers. It performs sandbox detection by checking for 4+ CPU cores and >2GB RAM, and will terminate if environment fails criteria.

📜 History & Notable Incidents

First observed in targeted attacks against Iranian dissidents and US-based academics in mid-2020, tRat was linked to the Nemesis Kitten subgroup by Microsoft Threat Intelligence in September 2021. No CVEs are directly associated with tRat; initial access is typically via spear-phishing emails containing malicious LNK or macro-laden documents. In 2022, the Israeli National Cyber Directorate warned of tRat campaigns targeting healthcare organizations in Israel.

🔍 Detection Indicators

Network IOCs include User-Agent strings such as Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36 and C2 paths like /api/token or /api/command. File artifacts include drvcc.exe (a dropped executable) and registry key HKCUSoftwareMicrosoftWindowsCurrentVersionRunWindowsUpdate. Mutex name GlobalWU_Check is a known behavioral signature documented in Cybereason's report.

☠️ Risk & Impact

tRat enables full remote control of infected hosts, leading to theft of credentials, intellectual property, and sensitive communications. Affected sectors include higher education, telecommunications, and government agencies, with espionage-motivated data exfiltration reported by Mandiant in 2023. No direct financial ransomware has been associated with tRat; impact is primarily informational loss and compromised network integrity.

🛡️ Mitigation

Defenders should enforce phishing-aware email filters, restrict execution of scripts from Office documents via Attack Surface Reduction (ASR) rules, and deploy EDR with behavioral detection for process hollowing and scheduled task creation. MITRE ATT&CK techniques used include T1053.005 (Scheduled Task), T1055.012 (Process Hollowing), and T1573.001 (Encrypted Channel).

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.