Moker remote access trojan comes with anti-sandboxing features, VM evasion, and screenshot capabilities

Oct 9, 2015 07:20 GMT  ·  By

A new Remote Access Trojan (RAT) has been detected and analyzed by the security researchers at enSilo, and this threat comes with unique features that allow it to go completely undetected by all antivirus engines hosted on Google's VirusTotal service.

This new RAT has been named Moker by the enSilo team, after a description left behind by the malware's creator in the main file's description.

As enSilo explains, this new RAT was found in the corporate network of one of the companies they are paid to protect, and seems to have been crafted for this type of covert operations inside enterprise networks.

The enSilo security experts cannot pinpoint the exact method through which Moker infects the network, but they say that when this happens, the RAT is installed in two different stages, so security protections won't be alerted by the intrusion.

Two-stage installation and a few other tricks allow it to avoid detection

First the Moker authors plant a component named "dropper," which installs the malware infrastructure, but careful not to trigger security measures on the corporate network and the local computer.

The dropper then installs the second component known as a "payload," component which is downloaded via the Internet or from another local source, containing the actual malicious code which allows it attack and infiltrate the infected computer.

This is done by exploiting Windows OS design flaws, tapping into operating system processes, going around the User Access Control (UAC) feature, and eventually giving itself system-level privileges.

Once this is achieved, Moker is ready for communications and contacts its C&C server which, according to enSilo, is located somewhere in Montenegro. This is not a clue to the attackers' nationality or location, as enSilo remarks.

Moker can be controlled even if Internet access is restricted

If the corporate network does not allow outside communications (via a firewall, VPN, etc.), or is air gapped (disconnected from the Internet), the Moker RAT also features a local control system, which allows attackers to control and operate their tool from the local network (if they gain access credentials to the local VPN in the meantime, or they have members infiltrated in the targeted company).

Moker can be used to steal any kind of data the attacker desires from infected PCs, once installed being able to take full control over a target.

This means creating a new user account from which to operate, altering security settings, editing sensitive files, recording Web traffic, key-logging, taking screenshot, and transferring files to its C&C server.

Besides this set of unique features, the Moker trojan was also designed to evade reverse engineering by security tools and researchers, coming with components that allow it to avoid common security debugging tools, virtual machines, sandboxed environments, and antivirus scanners.

Moker RAT control panel
Moker RAT control panel

Photo Gallery (2 Images)

Moker RAT targets corporate networks
Moker RAT control panel
Open gallery