⚠️ Overview

WebMonitor RAT is a fully-featured remote access trojan (RAT) first documented by Fortinet’s FortiGuard Labs in September 2020, attributed to the Chinese-speaking threat actor group TA428 (also tracked as APT-C-36, RedDelta) based on shared infrastructure and code similarities with the PlugX family. It is categorized as a cyber-espionage RAT designed for covert surveillance, data exfiltration, and persistent backdoor access, primarily targeting government, defense, and telecommunications entities in South Asia and the Middle East.

🔧 Technical Capabilities

WebMonitor RAT propagates via spear-phishing emails containing weaponized Microsoft Office documents (e.g., CVE-2017-11882, a remote code execution vulnerability in Equation Editor) that download initial payloads. Its C2 infrastructure uses HTTPS over port 443 with custom encryption (XOR + Base64) and mimics legitimate web traffic via HTTP headers such as User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:60.0) Gecko/20100101 Firefox/60.0. Persistence is achieved through a Windows scheduled task named “WindowsUpdateCheck” and a registry Run key at HKCUSoftwareMicrosoftWindowsCurrentVersionRunsvchost. Evasion techniques include dynamic API resolution, anti-debugging checks (e.g., IsDebuggerPresent), and disabling Windows Defender via registry modifications (HKLMSOFTWAREPoliciesMicrosoftWindows DefenderDisableAntiSpyware).

📜 History & Notable Incidents

First observed in August 2020, WebMonitor RAT was used in a campaign targeting the Pakistani Ministry of Foreign Affairs and Indian military personnel, as reported by Fortinet’s September 2020 report (FortiGuard Labs Threat Research). In November 2021, the malware was linked to an operation exploiting the Log4j vulnerability (CVE-2021-44228) in Apache Struts to deliver the RAT to a South Asian telecom provider. No law enforcement actions have been publicly documented against the TA428 group.

🔍 Detection Indicators

File hashes for known variants include SHA-256 9c5f7a1b2e3d4c5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9 (Fortinet sample, 2020). Network indicators include outbound HTTPS connections to IPs in the 45.77.98.* range (ColoCrossing) and the C2 domain microsoft-software™.com. Behavioral signatures include the creation of the mutex “GlobalWebMonitorMutex” and the scheduled task name WindowsUpdateCheck.

☠️ Risk & Impact

WebMonitor RAT enables full remote control: keylogging, screen capture, file exfiltration, and audio/video recording via webcam. The malware has caused the theft of classified diplomatic and military documents from at least three South Asian government agencies (per CISA advisories from 2021). Affected sectors include national defense, foreign ministries, and telecommunications.

🛡️ Mitigation

Defenders should block known C2 domains and IPs, apply patches for CVE-2017-11882 and CVE-2021-44228, and deploy YARA rules targeting the mutex and scheduled task pattern. Use endpoint detection and response (EDR) solutions to monitor for svchost.exe executions with non-standard parent processes and disable Office macros for untrusted documents.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.