- Parasite HTTP contains extensive detection evading features.
- The malware was observed being used in an email campaign targeting the information technology, healthcare, and retail industries.
A new remote access trojan (RAT) dubbed Parasite HTTP was recently discovered by security researchers. Researchers discovered that the malware was put up for sale in the dark web. The malware was observed being used in an email campaign targeting the information technology, healthcare, and retail industries.
The RAT comes packed with various detection-evading features such as anti-debugging, anti-sandbox and anti-emulation capabilities. Parasite RAT is also modular in nature, which allows cybercriminals to add more capabilities to the malware or download more modules after Parasite has infected a targeted system.
Parasite RAT features
According to the dark web advertisement of the malware, Parasite RAT is written in C++ and contains features such as dynamic API calls, encrypted strings, secure C2 panel written in PHP, firewall bypassing capabilities, multiple backup domains and more.
The malware is also capable of stealing browser passwords, instant messenger passwords, email passwords, Windows license keys and more.
“When Parasite HTTP actually does detect a sandbox, it attempts to hide this fact from any observers. It does not simply exit or throw an error, instead making it difficult for researchers to determine why the malware did not run properly and crashed,” Proofpoint researchers wrote in a blog.
Parasite is new but can spread
The Parasite RAT new campaign leveraged human resources distribution lists across various organizations. The message in the phishing email posed as CVs and the subject of the email purported to be applications for a job.
“Threat actors and malware authors continuously innovate in their efforts to evade defenses and improve infection rates. Parasite HTTP provides numerous examples of state-of-the-art techniques used to avoid detection in sandboxes and via automated anti-malware systems,” Proofpoint researchers said. “While we have currently only observed Parasite HTTP in a small campaign, we expect to see features like those used in Parasite continue to propagate across other malware variants.”