Flash Update: Emotet Gang Distributes First Japanese Campaign

Cofense Intelligence™ has identified yet another change in Emotet’s behavior, this time distributing a campaign targeting Japanese-speaking recipients. The messages, which reference potentially overdue invoices and the payments thereof, deliver a macro-laden document, as per Emotet’s modus operandi. Figure one shows an example email from this campaign.

Diversifying their target-base is the latest link in an ever-lengthening chain of updates and refinements being pushed by the actors behind Emotet. The targets in this campaign include Japanese academic institutions, demonstrating a keen interest in Emotet securing a presence in such networks worldwide.


Subject Lines

請查看和 批准。 謝謝。

 Attachment Names

878345912 99590954.doc
31021154 71136771.doc
64123575263 958618.doc
72239600 553010.doc
823522415 83838965.doc
86726152984 4077671.doc
97016848095 4035273.doc
04546449854 46414589.doc
12129058435 35307309.doc
18009110 429772.doc
19529643 07207376.doc
22789621095 667097.doc
459894237 3920280.doc
48513288 3409281.doc
514855331 4861472.doc
60475231104 37366668.doc
6325401702 834277.doc

Attachment Hashes


Payload URLS


Payload Hashes



Filename Regex


Cofense continues to closely track Emotet’s evolution. Watch this space for further updates. To stay ahead of emerging phishing and malware trends, sign up for free Cofense™ Threat Alerts.

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.

Emotet Gang Switches to Highly Customized Templates Utilizing Stolen Email Content from Victims

Beginning the morning of April 9th, the Emotet gang began utilizing what appears to be the stolen emails of their victims. It was noted back in October of 2018 that a new module was added that could steal the email content on a victim’s machine. Up until now, no evidence of real widespread use was seen. This marks a major evolution in the way Emotet works.

This ‘Broken’ File Hides Malware Designed to Break Its Targets

CISO Summary

Cofense IntelligenceTM has identified a phishing campaign with a malicious attachment containing a “broken” file that actually works, in all the wrong ways. Under certain conditions, the file weaponizes in the target environment after evading both automated and manual analysis.

The “break” is the lack of a file header, engineered to fool analysts into thinking the attachment is harmless, the work of threat actors too clumsy to be taken seriously. The headless file only appears when you open the attachment or use special programs in attempting to extract it.

The campaign tries to exploit a common problem: information overload. As they process and prioritize mountains of information, analysts and automated defenses sometimes ignore faulty files because they seem to be benign. In this campaign, the file downloads a script to fix the missing header and then run the full file, if the target environment permits it.

While multi-stage evasive techniques are the exception not the rule, they can lead to devastating results. To protect against campaigns like this, it’s smart to invest in solutions that leverage both human intuition and threat automation.

Full Details

Cofense Intelligence recently observed a campaign that delivered what appeared to be a broken executable—almost certain to evade detection as malicious—only to be fully weaponized once within  the target’s environment. By delivering an apparently broken executable, threat actors were able to disguise their intentions from several different kinds of automated and manual analyses. Cursory analysis showed that the executable was missing a proper “file header.” Because of the missing file header, it was more likely that an analyst would simply dismiss the threat actors as being incompetent and ignore the campaign. In reality, the campaign was designed so that the document would download a script to fix the “file header” and run the now complete executable, if the desired conditions within the hosting environment were met.

What’s in a Header

Essentially, a file header helps the operating system determine how to interpret the contents of the file. Header information can indicate several factors, such as whether a file is an archive or an executable. In the case of most Windows executables, the file starts with the characters MZ. This MZ header is almost always present, even when executables are packed, obfuscated, or embedded. The hexadecimal content of an executable, including the MZ header, can be seen in Figure 1.

Figure 1: Hexadecimal view of an MZ file header of an executable

If this header is not present, then the executable will simply fail to run. Some analysts as well as automated analysis systems and executable extraction programs will ignore any files without an appropriate header, under the assumption that they are broken. An example of the same executable from Figure 1, but with a missing MZ header, can be seen in Figure 2.

Figure 2: The same file as Figure 1 without an MZ header

The executable from Figure 1 no longer runs without the MZ header. Conversely, all that is needed to make the executable in Figure 2 run is the addition of “MZ” to the top of the binary.

What Happened Here

In the campaign observed by Cofense Intelligence, the malicious document drops an embedded object as a partial executable—the header of this file can be seen in Figure 2. Because this executable does not have an MZ header, it is only detected by 2/58* antivirus engines on VirusTotal. It also means that analysts who see the binary and attempt to run it as an executable will be unsuccessful and may assume that the binary is broken—and be technically correct in so doing. Once the partial executable has been dropped, the malicious document then makes use of CVE-2017-11882 to download and execute the contents of an .hta file. An example is shown in Figure 3.

Figure 3: Contents of downloaded .hta file

There are four steps of interest in this script. The first step creates a file “~F9.TMP” with the contents “MZ”:

Figure 4: First step in “creating” an executable

The second step adds the contents of the new file (“MZ”) to the start of a file named “~AFER125419.TMP”. The file “~AFER125419.TMP” is actually the name of the object embedded in the original executable:

Figure 5: Second step in creating an executable

After the “MZ” header is added, the new file is the same as the one shown in Figure 1. Although the file retains the .TMP extension it can still be run as an executable from the command line:

Figure 6: Third step in creating an executable

In the final step, the binary is copied to the Windows “Startup” folder, renaming it as an executable and ensuring that it will run on the next computer startup. This provides persistence for the malware on the targeted machine.

Figure 7: Fourth step in creating an executable

How It Helps Them and Hurts Us

The malicious document used in this instance was in fact detected by antivirus companies, largely due to its use of an equation editor exploit with minimal obfuscation and an embedded object. However, when dropped to disk the embedded object is only detected by 2/58* of the antivirus companies on VirusTotal. When the object is completed by adding the “MZ header,” this detection ratio jumps to 40/71*, demonstrating that the lack of an MZ header confuses automated systems and analysts alike. The fact that the binary can run as an executable only after being modified by a downloaded script provides several layers of distraction from the actual threat.

  • First, the computer must have access to the internet; this prevents the binary from running in some sandboxes and analysis environments which by default do not have internet access. It also ensures that any manual static analysis done on the binary will determine the binary to be “broken,” increasing the likelihood that it will be ignored.
  • In order for further analyses to take place, the script must still be available. If the script is unavailable due to the threat actor taking it down or any other reason, the binary never becomes an executable and is unlikely to be detected.
  • Finally, if the script is downloaded separately and run, it will create two 2-byte files and display an error message, further reinforcing its appearance as a poorly put together malware campaign.

Why It Matters

Information overload is a serious problem for any enterprise. To quickly process and prioritize information, both analysts and technical defenses will sometimes ignore “broken” files that do not run. If these files are recognized as a threat, analysts are often still forced to prioritize more obviously damaging malware instead of fixing a “broken” sample. Even if these steps are taken, the binary delivered in this campaign was only functional if a very specific set of criteria were met. This type of multi-stage execution designed to avoid detection is infrequent yet no less dangerous. To protect themselves from similar threats, organizations need to invest in both preventative programs and training as well as resources that use human experience in addition to automated malware analysis to uncover threats.

To stay ahead of emerging phishing and malware trends, sign up for free Cofense Threat Alerts.


Table 1: File IoCs

File Name MD5 Hash
9t3R1Ng5(.hta) c0266ac68a5de7c08fee0e7bd4b3b4aa
Enerson Energy_2018&2019_quotation.doc fa447b70e2550d66f0ebfa704a4c9552
~AFER125419.tmp 32c4c5186c0affa8c5f630253bbf5acc
~191AEF9.tmp 135dedc1e10a7d78f906cb485b328145


Table 2: Network IoCs**




All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.


* These statistics were from a sample analysis done on 2019-03-25.

** pastebin[.]com is not inherently malicious

Emotet Update: New C2 Communication Followed by New Infection Chain

CISO Summary

On March 15, CofenseTM Research reported that the Emotet botnet is changing the way it communicates, in a likely attempt to evade malware detection. Since then, Cofense IntelligenceTM has seen the same trend: Geodo-Emotet isn’t relying on cookies to make certain requests, instead performing HTTP POSTs to what seems to be the C2. Baking requests into cookies is a time-honored and easily detected pattern of  behavior. Switching this up makes it harder to see when the malware is calling home.

Moreover, Geodo-Emotet is now using a new infection chain, utilizing JavaScript files as droppers instead of macro-packed Office documents. These changes in behavior and delivery methods are the threat actors’ latest attempts to keep ahead of network defenders. They will very likely require security teams to adjust—once more.

Full Details

Cofense Intelligence has observed a change in the way that the Emotet botnet communicates, along with  the use of a new infection chain. In past versions, a compromised client would typically perform a GET request with data contained in the cookie value. As of approximately 11pm UTC on March 14th, this changed. The clients have begun to perform HTTP POST’s to what appear to be their C2’s. An educated guess: the primary driver behind this transition appears to be an attempt to bypass established detection methods. In tandem with this update, Geodo has begun experimenting with delivering its binaries with JavaScript files acting as droppers, and not via Office documents laden with macros as has been most common.

Historically, Geodo has passed data to its C2 using the Cookie field of the HTTP header. Information about the system, as well as identifiers, would be encrypted, wrapped in Base64 and added to the HTTP header before transport. This was a consistent and easily identifiable pattern of behavior, which led to near universal enterprise detection. Figure 1 shows an example of this exfiltration method.

Figure 1: An example of classic Geodo C2 comms using the Cookie field. Source: app.any.run

Despite being a valid and oft-used header field, there are several other tells – such as direct communication with an IP address for which no DNS resolution was performed. This, when combined with the cookie, is an easy way to identify a Geodo infection calling home.

The latest iteration of Geodo, however, has transitioned away from this legacy method to submitting data to its C2 via HTTP POST as a form. Figure 2 shows an example of this updated communication method.

Figure 2: The new method of C2 comms

Experimenting with JavaScript

Geodo operates various tiers of payload distribution by using payload-agnostic droppers and relying on the Windows file-type handlers to correctly execute what is downloaded. This means that payloads can be hot-swapped at any point during a campaign. This behavior was observed late in 2018 when a payload location, for a short period of time, swapped a Geodo executable for that of QakBot. By making the payload system agnostic, the actors behind Geodo can experiment with varying payloads without affecting the overall integrity of the infection chain. Despite the sophistication and robustness of the Geodo delivery infrastructure, the JavaScript payload observed by Cofense Intelligence was minimally obfuscated and immediately legible to an experienced eye. If one traces the execution, though, things begin to become a little bit murky. Figure 3 shows a snippet of the obfuscated dropper, verbatim.

Figure 3: The obfuscated payload showcasing cleartext strings

After deobfuscation, the flow of the code is somewhat easier to interpret. The code is broken out into 5 distinct functions, with two anonymous functions—one at the head and one at the tail—responsible for execution. Figure 4 shows the first two functions and an array.

Figure 4: Two functions responsible for shuffling an array and retrieving an element by index, respectively.

The shuffling function is likely there to slow down manual analysis of the file. It could also be used to defeat unsophisticated emulation techniques. The second function simply returns an item from an array by its index.

The next two functions, seen in figures 5 and 6, are responsible for downloading and response code verification, and looping through available URLs, respectively.

Figure 5: The code responsible for downloading payloads and verifying the response code

Figure 6: Looping through five URLs, and attempting to execute the retrieved payload

Although the dataset is entirely too small to accept as correlation, the use of 5 payload locations is in line with the standard Geodo modus operandi. During analysis, it was noticed that one of the payloads was not like the others, however. Figure 7 shows the rather interesting subject matter returned during analysis of the payload locations.

Figure 7: A blog page returned in lieu of a binary payload.

Figure 8 shows the code responsible for finding the path of, and writing files to, the %temp% directory.

Figure 8:  The dropper generates a pseudo-random filename as which to write the file

Figure 9 is the code responsible for kicking off the main functions of the script.

Figure 9: The code responsible for starting the download and execute operations. Comments added for clarity

With routine changes in behavior and delivery methods, Geodo’s operators consistently find ways to evolve how the botnet behaves—always attempting to stay ahead of the cat-and-mouse game they play with network defenders. The change in how form data is passed will almost certainly allow Geodo to overcome certain detection technologies, requiring immediate retooling. Identifying a highly dynamic family, such as Geodo, requires highly agile security infrastructure coupled with responsive threat intelligence.

To stay ahead of emerging phishing and malware trends, sign up for free Cofense Threat Alerts.


All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.

This Phishing Campaign Spoofed a CDC Warning to Deliver the Latest GandCrab Ransomware

CISO Summary

Cofense IntelligenceTM reports that threat actors have spoofed a CDC email—this one warns of a flu epidemic—to deliver an updated variant of GandCrab ransomware. Besides competing for a new low in predatory cyber-crime, the phishing campaign follows the public release of a decryptor tool for infections of recent GandCrab versions, through version 5.1. The fake CDC email contained version 5.2, which renders the decryptor tool ineffective.

Though ransomware has dropped off over the past year, the authors of GandCrab are still pushing out frequent, powerful updates.  GandCrab is the last of the infamous “ransomware as a service” threats. The extent to which its creators make upgrades, parrying and thrusting with security researchers, shows it’s still a very real weapon for revenue-hungry criminals.

Full Details

Recent updates to GandCrab Ransomware demonstrate that its operators remain committed to the malware’s effectiveness and are prepared to make urgent changes to overcome disruptions. Shortly after a coordinated public release of a decryptor tool for infections of GandCrab versions 5.0.4 through 5.1, Cofense Intelligence observed GandCrab v5.2 campaigns that rendered the tool ineffective.  In a recent phishing email delivering GandCrab, a fabricated flu epidemic alert from the Center for Disease Control (CDC) was crafted to terrify recipients into opening an attached document. Far from receiving potentially life-saving instructions, the Office document was laden with macros, coded to download and execute a copy of—you guessed it— GandCrab v5.2.

Natural disasters, global geopolitical events, and pandemics are perfect narrative drivers for threat actors seemingly devoid of conscience, tact, or taste. Self-preservation is a human imperative, and such narratives that evoke fear and urgency are potentially more effective than those exploiting greed, empathy, or curiosity, other typical phishing narratives.

Coughs and Splutters

Despite leveraging a powerful concept, the execution of the observed campaign leaves much to be desired. Figure 1 shows the body of a typical message from this campaign.

Figure 1: a typical message observed during this campaign

Ostensibly, the message is well-structured, somewhat professional and believable. However, a closer read would note the grammatical errors and unusual statements. The content of the attached document continues this trend, with such preposterously low effort as compared to the effort put into the phishing email. Figure 2 shows the content of the document, displayed to the user while the macros are busy downloading and executing GandCrab.

Figure 2: the content of the document, typically deployed as a decoy.

In scenarios that leverage weaponized documents as the attack vector, threat actors often disseminate believable content to distract the user while whatever required background processes run.

Where’s Trik?

A noticeable deviation from the recent standard GandCrab protocol is the absence of an intermediate loader. Since Feb 2019, all phishing campaigns that ultimately served GandCrab did so via Trik, a spambot with pretentions of data-stealer. Certainly not a wholly unique occurrence, it does reverse a trend that had been forming.

Despite ransomware becoming less and less lucrative, the actors behind GandCrab continue to push out extremely frequent and pertinent updates. On February 19th 2019, Bitdefender released a decryption tool for GandCrab V5.1. Later that same day, it came to light v5.2 – a version for which no available decryption utility would work – had already been released, seemingly in direct response to the decryption utility.

GandCrab is the last great bastion of the ransomware-as-a-service world. Its frequent updates, active engagement with security researchers, and novel abuse of vulnerabilities and weaknesses makes it a very real, and potentially very devastating, threat. By appealing to fear and self-preservation, this campaign highlights to what lengths threat actors will go to generate revenue.

To stay ahead of emerging phishing and malware trends, sign up for free Cofense Threat Alerts.


Flu pandemic warning.doc        054607600b11e09fa74aa39c790357d6

perdaliche.exe                         b47b281a8d1f227d6a7f48f73192e7ed






All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.


Flash Bulletin: Emotet Epoch 1 Changes its C2 Communication

We are currently noticing a change in the way that the Emotet botnet, specifically the epoch 1 variant, is communicating with the C2.  In past versions, the client would typically perform a GET request with data contained in the cookie value. As of approximately 11pm UTC on March 14, this changed. The clients have begun to perform HTTP POSTs to what appear to be their C2s.  The URI’s contacted contain variable words in the paths.  We are seeing form data passed with a name variable and data.  This change will break researchers as well as certain detection technologies while they scurry to retool.  We will continue to track this change and analyze what this means. Further details to come.


Emotet E1 Client hash: e0f04e2fbf3beed2dc836567006890f6f0442db78248cc2fd049437547be462e

Seen POST Uri’s


All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.

‘Read the Manual’ Bot Gives This Phishing Campaign a Promising Future

CISO Summary

Cofense IntelligenceTM has spotted a surgical phishing campaign whose targets could easily broaden, given the sophisticated development of its tactics. For now, it’s taking aim at financial departments in Russia and neighboring countries, using the Read the Manual (RTM) Bot to deliver a banking trojan.

Among other capabilities, the malware steals data from accounting software and harvests smart card information. The newest version uses The Onion Router (TOR) communication protocol, whose privacy and extra encryption are signs the threat actors could be serious about developing the banking trojan for future campaigns.

Technical controls can help combat this threat, for example, blocking connections to TOR nodes and inspecting network traffic for connections attempts. More proactively, educate end users on evolving phishing tactics.

Full Details

Cofense IntelligenceTM has analyzed a phishing campaign delivering a banking trojan and targeting Russia and neighboring countries. Read The Manual (RTM) Bot is created by a cyber group known by the same name. The RTM group is targeting the financial departments within different industry sectors. This modular banking trojan has many unique features, such as stealing data from accounting software and harvesting smart card information. This newest version uses The Onion Router (TOR) communication protocol. These campaigns are typically written in Cyrillic and use the Monthly Payment lure. Figure 1 shows an email associated with this campaign.

Figure 1: An email associated with this phishing campaign

RTM Bot targets accounting software while initially scanning the drive of the endpoint. The scan looks for any items related to the Russian remote banking system and relays the information found to the C2 for further instructions. RTM Bot scours the web browser history, and can access currently opened tabs, looking for any banking URL patterns. After the initial scan, the banking trojan then gathers information, effectively fingerprinting the machine. Figure 2 shows the accounting software strings found in the memory of this sample.

Figure 2: Strings associated with accounting software

Some accounting software requires the use of a smart card to authenticate to the software and access data associated with it. RTM Bot attempts to locate these smart card readers by scanning the registry and attached devices. If a smart card is found, the banking trojan then interacts with the Winscard API function to harvest information. The harvested information is then held within the memory buffer until it is sent to the C2. Figure 3 shows some memory strings associated with the smart card search and API interaction.

Figure 3: Memory strings associated with the smart card search and API interaction

Before attempting to exfiltrate the gathered information, the banking trojan will look up the host’s external IP address and add the value to its collection. It uses a GET request to the website hxxp://myip[.]ru/index_small[.]php to gather the external IP of the infected machine. Figure 4 shows the GET request.

Figure 4: The GET request for the external IP of the machine

Other values collected by RTM Bot during the fingerprinting of the machine include:

  • Username
  • Machine name
  • Logged on user privileges
  • OS version
  • Anti-virus installed
  • Time zone
  • Default language

Previous iterations of this malware used Blockchain Domain Name Services (BDNS) for its C2 infrastructure. The biggest change in the new version is the switch to using The Onion Router (TOR) communication protocol for its C2 infrastructure. Note that RTM Bot does not install a TOR client. Instead it uses the onion libraries, which are often called TOR SOCKS. By not installing a client onto the machine, RTM Bot minimizes its chances of being detected by anti-virus manipulating the Operating System (OS). Figure 5 shows memory strings associated with the TOR C2 infrastructure.

Figure 5: Memory strings associated with the TOR C2 infrastructure

Using the TOR protocol for communication helps threat operators in many ways. The first is that the communication is encrypted at the application layer of the OSI model, which adds an extra layer of encryption to the traffic. Another reason is the privacy that the TOR network affords the threat actors. This is done by passing the data through a network of relay points using layers of encryption. Each relay point decrypts a layer that reveals the next destination and routes the packet respectively. The relay point, however, does not know the next destination or the final destination the packet should reach. This routing scheme helps eliminate eavesdropping, because the router doesn’t know the end to end connections created, as well as the obfuscation by multiple layers of encryption.

RTM Bot has many of the common capabilities of banking trojans, including keylogging and screen captures. The malware can be pre-compiled with modules or it can download and execute the modules as instructed by the C2. The RTM cyber group focuses on financial departments within business in specific countries but can very easily shift its aim.

The newest version using the TOR communication protocol shows the group is actively developing this banking trojan for the future. Blocking connections to TOR nodes and inspecting network traffic for connection attempts will help mitigate the exfiltration of information. However, educating end users about phishing campaign threats and maintaining the threat knowledge base is the key to avoiding these threats.

To stay ahead of emerging phishing and malware trends, sign up for free Cofense Threat Alerts.


All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.

Lime RAT: Why It Caught Our Eye and How this Versatile Malware Works

CISO Summary

Cofense IntelligenceTM has spotted a phishing campaign using the Lime remote administration tool (RAT), whose versatility makes it an especially dangerous malware type. Lime RAT is a mash-up of ransomware, cryptominer, stealer, worm, and keylogger. When skillfully deployed, it can filch a wide range of information, encrypt computers for ransom, or transform the target host into a bot.

Lime RAT appeals to novice and seasoned threat actors alike, thanks to its anti-virus evasion techniques, anti-virtual machine features, small footprint, and encrypted communications. Threat analysts will want to read the full analysis below. Security awareness managers will want to educate employees by simulating phishing emails containing diverse malware threats.

Full Details

Cofense IntelligenceTM analyzed a phishing campaign that delivered an all-in-one ransomware/cryptominer/stealer/worm/keylogger called Lime Remote Administration Tool (RAT). Lime RAT’s code is written in C# and is dependent on .NET 4.0. Lime RAT is part of a malware library which includes Lime_Miner, Lime_Crypter, and Lime_USB. This malware is open source and touts itself as a teaching tool for .NET malware. But being feature-rich and well-documented, Lime RAT can also be used for nefarious actions by malicious operators.

An interesting feature of this malware family is the use of multiple ports for communication, which establishes redundancy for the communication channels. The initial setup of the Lime RAT building platform and panel needs only two things: port numbers and an AES (Advanced Encryption Standard) 128-bit encryption key. The port number is used to open a port to listen on the server. The AES key is used to encrypt all communication between the client and the server. Figure 1 shows the initial setup pane with the ports and AES key as discussed above.

Figure 1: Setup process for Lime RAT

The builder for the payloads is simply comprised of checkboxes and text input fields that even the most novice operators can use to produce effective, malicious binaries. This panel allows you to customize the payload with different features and icons. It also allows you to set the Command and Control (C2) infrastructure and the location for the persistent drop file on the targeted machine. Figure 2 shows the features available to customize each payload, including the anti-virtual machine option.

Figure 2: Features available to the Lime RAT payloads

When the Lime RAT payload has been created, sent to and executed on a target machine, the binary connects to the panel. When the client connects, it sends information to the control panel and includes details about the operating system, CPU, user, country, and more. The control panel gives the option to automatically assign a task for the client, for example, downloading and executing a specific file. Figure 3 shows the control panel populated with information from the connected client, while Figure 4 shows the ‘OnConnect’ automatic tasking panel.

Figure 3: Control panel view of an infected client machine connected to the C2 infrastructure

Figure 4: ‘OnConnect’ automatic tasking options

The control panel allows the operator to manipulate the target by right-clicking on the selected machine and choosing a command. This is where the operator can specify the method of attack: initiate the encryption for ransomware, drop a Monero miner, enable Remote Desktop Protocol (RDP), steal information/cryptocurrency, and more. Figures 5 and 6 show the options available to the operator for a given target.

Figure 5: Ransomware and other plugins for the target machine

Figure 6: Keylogging and persistence options for the targeted machine

The ransomware feature lets you customize the message as well as the image displayed. When the targeted host is encrypted with the ransomware aspect of this RAT, the file extensions are turned to ‘.Lime’. Figure 7 shows the customizable message and default image that displays to the client after the encryption has been initiated.

Figure 7: Lime RAT’s default ransomware message

The keylogging feature is not very advanced in what it collects. It can only collect what is entered by the keyboard and not what is auto-filled or added from the clipboard. The keylogger output does show a timestamp and which application the text was written in. Figure 8 shows the control panel output of a running keylogger module on a client infected with Lime RAT.

Figure 8: Collection of text from the keylogger module

As shown earlier in Figure 2, Lime RAT can spread like a worm. When the payload is built, the operator can specify the ‘USB spreading’ and ‘pinned task bar application spreading’ features be included within the payload. The USB spreading feature looks for any connected type 2 device and then attempts to replace any file with an executable version of Lime RAT. When doing this, Lime RAT will keep the original icon for the file that has now been infected. The spreading through the pinned task bar applications takes it one step further by replacing the shortcut path to which those icons are linked.

The ‘Thumbnail’ tab (Figure 9) within the control panel of Lime RAT is a screengrab of the infected machine. This screengrab can be turned on or off and has a timer that defaults to 5 seconds between screen grabs.

Figure 9: ‘Thumbnail’ tab that holds the screen grabs of the infected machines

Logging in Lime RAT is not nearly as advanced as we’ve seen in other RATs. As shown in the Figure 10, the ‘Logs’ tab only logs timestamps and IPs of connections and disconnections.

Figure 10: ‘Logs’ tab and the connections made

Lime RAT is an open source, well documented, .NET framework malware suite with multiple features that make it devastating when properly used. The ability for this malware to steal a wide range of valuable information, encrypt for ransom, and/or turn the target host into a bot with basic capabilities, mixed with an intuitive control panel display, makes it a likely choice for novice operators. The anti-virus evasion, anti-virtual machine feature, the small footprint, and encrypted communications would appeal to threat actors across the capability spectrum. The number one way to keep multivariate threats like Lime RAT from infecting a machine via a phishing campaign is to educate the end user on suspicious emails and attachments.

To stay ahead of emerging phishing and malware trends, sign up for free Cofense Threat Alerts.


All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.

A Closer Look at Why the QakBot Malware Is So Dangerous

CISO Summary

Cofense Intelligence ™ recently reported a phishing campaign distributing the QakBot malware. QakBot infestation is a significant threat, so be sure to share today’s follow-up post with your SOC analysts.

We’ll drill down into the novel techniques QakBot uses to stymie detection and manual analysis. This sophisticated banking trojan, which Cofense™ has seen distributed via the Geodo/Emotet botnet, uses multiple tools to cover its tracks and steal credentials. The threat actors who have developed it are creative and aggressive.

With Upgrades in Delivery and Support Infrastructure, Revenge RAT Malware is a Bigger Threat

CISO Summary

The Revenge RAT malware is getting stealthier, thanks to unusually advanced delivery techniques and support infrastructure. Cofense IntelligenceTM has recently seen this basic and widely available Remote Access Trojan benefit from these upgrades, which help it to access webcams, microphones, and other utilities as Revenge RAT does recon and tries to gain a foothold in targeted computers. When they succeed, RATs enable threat actors to wreak havoc, including monitoring user behavior through keyloggers or other spyware, filching personal information, and distributing other malware.