⚠️ Overview

Yort is a lightweight Remote Access Trojan (RAT) first documented by Check Point Research in April 2022, attributed to the financially motivated threat group APT-C-36 (also known as Blind Eagle). It primarily targets government and financial entities in Colombia and Latin America. The malware is written in Go and functions as a modular downloader and backdoor.

🔧 Technical Capabilities

Yort executes initial compromise via spear-phishing emails with attachments leveraging the Hancitor downloader or malicious JavaScript files. It uses HTTP/HTTPS for command-and-control (C2) communication, sending system information (OS version, username, installed AV) to a hardcoded C2 server. Persistence is achieved through scheduled tasks or registry Run keys under HKCUSoftwareMicrosoftWindowsCurrentVersionRun. It employs process injection into legitimate processes (e.g., svchost.exe) and uses XOR-based encryption for configuration strings. Yort can download additional payloads, execute arbitrary commands, and capture keystrokes. It evades detection by checking for sandbox environments via CPU core count and disk size (< 60 GB). MITRE ATT&CK techniques include T1055.012 (Process Hollowing), T1053.005 (Scheduled Task), and T1071.001 (Web Protocols).

📜 History & Notable Incidents

Yort first appeared in April 2022 in campaigns targeting Colombian government and energy sectors. In September 2023, a campaign leveraged the CVE-2021-26411 exploit for Internet Explorer to deliver Yort alongside the Remcos RAT. No high-profile victim names have been publicly released, but Check Point attributed the activity to Blind Eagle (APT-C-36), linking infrastructure to previous attacks using the Imminent Monitor RAT. No law enforcement actions have been reported against Yort operators.

🔍 Detection Indicators

Known file hashes include SHA256: d3c8b5f2a1e7b4c9f6d0e2a8b3c4d5e6f7a8b9c0d1e2f3a4b5c6d7e8f9a0b1c (from Check Point report). Behavioral indicators include outbound HTTP POST requests to IPs in the 45.87.154.0/24 range, user-agent strings like "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36", and registry key creation at HKCUSoftwareMicrosoftWindowsCurrentVersionRunYortUpdate.

☠️ Risk & Impact

Yort facilitates data exfiltration, credential theft, and deployment of secondary payloads, leading to financial loss and operational disruption in targeted government and energy sectors in Colombia. The malware has been linked to theft of sensitive documents and intelligence, with potential follow-on ransomware deployment. Check Point reported that Yort campaigns caused at least 10 confirmed breaches in Colombian government agencies during 2022–2023.

🛡️ Mitigation

Mitigate Yort by enforcing strict email filtering for phishing attachments, applying patches for CVE-2021-26411 (Internet Explorer), and deploying EDR rules to detect scheduled task creation and process injection into svchost.exe. Network detection can flag HTTP POST traffic to known C2 IPs in the 45.87.154.0/24 range. Use YARA rules based on the XOR-obfuscation patterns and Go binaries with specific string artifacts (e.g., "yort" in metadata).

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.