Just as Microsoft escalates warnings for the 800 million Windows users risking an end to security updates, here comes a reminder as to why that will be a nightmare come true: An updated malware threat not only “bypasses traditional security measures” to steal passwords, but it even now “has the capability to destroy Windows OS.”
The updated version of Neptune RAT, reports Cyfirma, has now been shared on Github by its developers. The remote access trojan “incorporates advanced anti-analysis techniques and persistence methods to maintain its presence on the victim’s system for extended periods and comes packed with dangerous features, including a crypto clipper, password stealer with capabilities to exfiltrate over 270+ different applications’ credentials, ransomware capabilities, and live desktop monitoring.”
ForbesFBI Warning—Stop These Calls On Your iPhone And Android PhoneBy Zak Doffman
Once installed on a PC, a RAT can take over a system and conduit directly to its handlers to send and receive data and instructions. This updated malware includes many of the latest techniques to avoid detection and ensure its outcomes are achieved.
All told, Cyfirma warns this is “an extremely serious threat,” and it is being pushed out across multiple channels, including Telegram and YouTube, “often marketed with phrases like ‘Most Advanced RAT.’ This indicates its widespread use by cybercriminals targeting Windows users.” What’s worse, the version of the malware being touted is unlikely to be the most sophisticated version available. The developers “hint at a more advanced version behind a paywall.” This marketing masquerades as cybersecurity education and training, but in reality it “raises serious security concerns.”
MORE FOR YOU
The malware’s password stealing capabilities will raise particular concerns, and it’s primed with a Chromium.dll stealer that can attack “various browsers, including Chrome, Opera, Yandex, 360Chrome, Comodo Dragon, Coolnovo, Torch, Chromium, and Brave.” The stealer “extracts browser data from the default LocalApplication folder, where credentials are stored in an encrypted format. After extracting the data, the malware decrypts the credentials and sends them to the attacker’s server.”
As we have seen multiple times recently, this RAT also piggybacks on core Windows system processes for stealth and persistence. This helps obfuscate against security analysis and also reboots the malware with a system restart. “The malware creates a persistent scheduled task in Windows using schtasks.exe. It sets the task to run every minute (/sc minute /mo 1) and executes a command by passing the file path parameter. The task runs silently (WindowStyle.Hidden) and forces creation (/f).”
Unsurprisingly, the RAT is also primed for ransomware, creating “an HTML file on the desktop named ‘How to Decrypt My Files.html’ [which] provides instructions on how to contact the attacker, explains what has happened to the files, and specifies the ransom amount required to recover them… All files on the system are encrypted, and their extensions are changed to .ENC, rendering them inaccessible without decryption.”
ForbesChrome, Safari, Edge Warning—Do Not Shop On These WebsitesBy Zak Doffman
Cyfirma warns that “Neptune RAT’s arsenal of malicious capabilities – ranging from ransomware and crypto clippers to live desktop monitoring and antivirus disabling – makes it a severe threat… Given its complexity and evolving nature, it poses a significant risk to both individuals and organizations.”
Not only do users need to ensure they’re up-to-date with all the latest Windows vulnerability fixes, but also need to run updated security software to monitor for such threats. And if you’re still using Windows 10, don’t let October 14 come and go without security a solution that maintains those critical security updates.
