- The whole infection process begins with an LNK file.
- The malware is capable of registering itself as ‘Critical Process’ on the infected systems.
LimeRAT is a powerful Remote Administration Tool that is publicly available to any Internet user. However, lately, it has been found that cybercriminals are using a unique infection technique to spread the malicious sample without being detected by anti-virus software.
How does the infection process start - The whole infection process begins with an LNK file. It enables the attackers to download and run a PowerShell file named ‘rdp.ps1’ from a remote location. The retrieved PowerShell file is later used as a dropper in the second stage of the infection process.
“This script firstly retrieves the version of the Windows OS installed on the target machine using the “Get-WmiObject -Class Win32_OperatingSystem | Select-Object -ExpandProperty Version” command. Then, depending on the returned value, it runs a couple of privilege escalation exploits able to bypass the UAC (User Account Control) feature, a well-known security mechanism introduced since Vista to avoid unauthorized system configuration changes,” the Yoroi researchers wrote.
What are its capabilities - A close investigation by the researchers from Cybaze-Yoroi revealed that the malware is capable of registering itself as ‘Critical Process’ on the infected systems. And if the user tries to kill it, a Blue Screen of Death (BSoD) is displayed on the screen.
Besides this peculiar trick, the malware also includes a set of other dangerous capabilities such as:
- USB drive propagation;
- Infecting all files and folders on USB drives;
- Using startup methods to evade detection;
- Virtual machines and analysis box awareness to avoid detection;
- Info-stealer and Crypto-stealer modules;
- Keylogger module;
- Backdoor and RDP access.
Upon successful installation, the malware’s command and control infrastructure abuse the Pastebin service to gain persistence on a victim’s system.