LimeRAT is a powerful Remote Administration Tool that is publicly available to any Internet user. However, lately, it has been found that cybercriminals are using a unique infection technique to spread the malicious sample without being detected by anti-virus software.
How does the infection process start - The whole infection process begins with an LNK file. It enables the attackers to download and run a PowerShell file named ‘rdp.ps1’ from a remote location. The retrieved PowerShell file is later used as a dropper in the second stage of the infection process.
“This script firstly retrieves the version of the Windows OS installed on the target machine using the “Get-WmiObject -Class Win32_OperatingSystem | Select-Object -ExpandProperty Version” command. Then, depending on the returned value, it runs a couple of privilege escalation exploits able to bypass the UAC (User Account Control) feature, a well-known security mechanism introduced since Vista to avoid unauthorized system configuration changes,” the Yoroi researchers wrote.
What are its capabilities - A close investigation by the researchers from Cybaze-Yoroi revealed that the malware is capable of registering itself as ‘Critical Process’ on the infected systems. And if the user tries to kill it, a Blue Screen of Death (BSoD) is displayed on the screen.
Besides this peculiar trick, the malware also includes a set of other dangerous capabilities such as:
Upon successful installation, the malware’s command and control infrastructure abuse the Pastebin service to gain persistence on a victim’s system.
Publisher