Show thread๐™ฝ๐™ด๐šƒ๐š๐™ด๐š‚๐™ด๐™ฒMay 7

The DLL is tagged as "spankrat" on VT
๐Ÿ”ฅ 126ad23d3e0924397149062b78421511
๐Ÿ”ฅ 45.131.214.132:9000
https://www.virustotal.com/gui/file/73e0c98b83f9be28ff8a58f6f6d7c9729dd54c6e820baebf1ee472a9bb7eaa6d/detection

#mikey #spankrat #r002c0ddm26

ANY.RUNApr 16

๐Ÿšจ ๐—ฆ๐—ฝ๐—ฎ๐—ป๐—ธ: ๐—Ÿ๐—ฒ๐—ด๐—ถ๐˜๐—ถ๐—บ๐—ฎ๐˜๐—ฒ ๐—ฃ๐—ฟ๐—ผ๐—ฐ๐—ฒ๐˜€๐˜€ ๐—”๐—ฏ๐˜‚๐˜€๐—ฒ, ๐——๐—ฒ๐—น๐—ฎ๐˜†๐—ฒ๐—ฑ ๐——๐—ฒ๐˜๐—ฒ๐—ฐ๐˜๐—ถ๐—ผ๐—ป, ๐—ฎ๐—ป๐—ฑ ๐—ฅ๐—”๐—ง ๐—ฃ๐—ฒ๐—ฟ๐˜€๐—ถ๐˜€๐˜๐—ฒ๐—ป๐—ฐ๐—ฒ.
We caught a two-component Rust-based RAT toolkit we're calling #SpankRAT. Because C2 traffic originates from legitimate system processes, ๐˜๐—ต๐—ถ๐˜€ ๐—ฎ๐—ฐ๐˜๐—ถ๐˜ƒ๐—ถ๐˜๐˜† ๐—ฐ๐—ฎ๐—ป ๐—ฏ๐˜†๐—ฝ๐—ฎ๐˜€๐˜€ ๐—ฟ๐—ฒ๐—ฝ๐˜‚๐˜๐—ฎ๐˜๐—ถ๐—ผ๐—ป-๐—ฏ๐—ฎ๐˜€๐—ฒ๐—ฑ ๐—ฐ๐—ผ๐—ป๐˜๐—ฟ๐—ผ๐—น๐˜€ ๐—ฎ๐—ป๐—ฑ ๐—ฏ๐—ฒ ๐—ฑ๐—ฒ๐—ฝ๐—ฟ๐—ถ๐—ผ๐—ฟ๐—ถ๐˜๐—ถ๐˜‡๐—ฒ๐—ฑ ๐—ฑ๐˜‚๐—ฟ๐—ถ๐—ป๐—ด ๐˜๐—ฟ๐—ถ๐—ฎ๐—ด๐—ฒ, reducing SOC visibility and increasing the risk of missed compromise. As a result, attackers gain stealthy persistence and hands-on control within the environment โš ๏ธ
โ—๏ธ At the time of analysis, most samples remain undetected on VirusTotal.

โšก๏ธ Behavioral analysis is essential for detecting threats like this. #ANYRUN Sandbox reveals the full execution chain, injection activity, C2 communication, and privilege escalation in real time, helping teams confirm malicious activity faster when traditional detection fails.

1๏ธโƒฃ The attack starts with ๐—ฆ๐—ฝ๐—ฎ๐—ป๐—ธ๐—Ÿ๐—ผ๐—ฎ๐—ฑ๐—ฒ๐—ฟ, a lightweight loader that retrieves the main payload from C2 over plain HTTP, escalates privileges, and injects it into ๐—ฒ๐˜…๐—ฝ๐—น๐—ผ๐—ฟ๐—ฒ๐—ฟ.๐—ฒ๐˜…๐—ฒ using classic DLL injection, establishing persistence via a Scheduled Task.

2๏ธโƒฃ Once loaded inside explorer.exe, ๐—ฆ๐—ฝ๐—ฎ๐—ป๐—ธ๐—ฅ๐—”๐—ง communicates with C2 over WebSocket and provides full remote access to the system. The full-featured variant supports ๐Ÿญ๐Ÿด ๐˜€๐—ฒ๐—ฟ๐˜ƒ๐—ฒ๐—ฟ ๐—ฐ๐—ผ๐—บ๐—บ๐—ฎ๐—ป๐—ฑ๐˜€ covering remote shell execution, file management (list/read/upload/delete/rename), process enumeration and killing, Windows service control (start/stop/restart), full registry CRUD, scheduled task manipulation, and software inventory.

๐Ÿ”— Execution chain:
SpankLoader โžก๏ธ Download from C2 โžก๏ธ Drop DLL to C:\ProgramData\ โžก๏ธ SeDebugPrivilege โžก๏ธ DLL injection into explorer.exe โžก๏ธ Scheduled Task (persistence) โžก๏ธ SpankRAT โžก๏ธ WebSocket C2 โžก๏ธ RAT ๐Ÿšจ

๐—™๐—ถ๐—ป๐—ฑ ๐˜๐—ต๐—ฒ ๐—ณ๐˜‚๐—น๐—น ๐—–๐Ÿฎ ๐—ฐ๐—ผ๐—บ๐—บ๐—ฎ๐—ป๐—ฑ ๐˜€๐—ฒ๐˜ ๐—ฎ๐—ป๐—ฑ ๐—œ๐—ข๐—–๐˜€ ๐—ถ๐—ป ๐˜๐—ต๐—ฒ ๐—ฐ๐—ผ๐—บ๐—บ๐—ฒ๐—ป๐˜๐˜€ ๐Ÿ“Œ

๐Ÿ‘จโ€๐Ÿ’ป See the analysis session: https://app.any.run/tasks/56306614-e569-4ace-a9ce-b27c3b983618/?utm_source=mastodon&utm_medium=post&utm_campaign=spankrat_analysis&utm_content=linktoservice&utm_term=160426

๐Ÿ” Use this TI Lookup query to pivot from IOCs, review related activity, and validate your detection coverage: https://intelligence.any.run/analysis/lookup?utm_source=mastodon&utm_medium=post&utm_campaign=spankrat_analysis&utm_content=linktotilookup&utm_term=160426#%7B%22query%22:%22url:%5C%22*/download/rmm_agent.dll*%5C%22%22,%22dateRange%22:60%7D

๐Ÿš€ Strengthen your SOC, detect complex threats faster, and boost team performance with #ANYRUN: https://any.run/enterprise/?utm_source=mastodon&utm_medium=post&utm_campaign=spankrat_analysis&utm_content=linktoenterprise&utm_term=160426

#cybersecurity #infosec