Upgraded version of RAT with new TTPs
A Remote Administration Tool is a type of software that gives the attacker full control over the victims’ device remotely. Using RATs, attackers can perform various tasks such as accessing files, cameras, and other resources remotely while conducting keylogging, system operations, etc.
A developer named “Arsium” posted a new version of this open-source RAT – EagleMonitorRAT – on GitHub. Additionally, the developer posted a link to the GitHub page of the EagleMonitorRAT to various underground dark web markets. Figure 1 shows one such post by the developer.
According to the developer, the EagleMonitorRAT is written in C# and upgraded from HorusEyesRat, which is Visual Basic .NET-based.
Cyble Research Labs has analyzed the RAT binary and panel to gain insights into the functionalities and impact of the RAT.
While building the solution, various executables and support plugins are compiled, including client builder plugins and an admin panel. Figure 2 shows the compiled binaries and other files.
Additionally, various Dynamic Link Library (DLL) files are also compiled to support operations such as file management, keylogging, etc. Figure 3 shows the support DLL files.
A client builder is used to compile the binary, which will be delivered to users to compromise a target machine. The client binary may be delivered to users using various initial infection vectors such as spam email etc. The builder has an option to specify the IP address of the server, port, and key. Figure 4 shows the client builder.
EagleMonitorRAT has a server panel for managing victim devices. The panel shows country, hardware ID, operating system details, username, available RAM, privilege, region etc. Additionally, the panel has various options to manage as well for performing several operations in the infected device.
The Admin panel of EagleMonitorRAT includes operations such as:
- miscellaneous panels
- mass tasks
- memory execution
Figure 5 shows the administration panel of EagleMonitorRAT.
In the recovery option of EagleMonitorRAT, there are three different options – passwords, history, and autofill.
The Recovery option works as an information stealer which extracts usernames, passwords, and browser history. Figure 6 shows stolen information retrieved using the Recovery menu from the victim’s machine.
The Desktop menu option of EagleMonitorRAT has 5 different suboperations – file manager, process manager, live keylogger, remote desktop, and remote webcam. Refer to Figure 7.
The File Manager menu option of EagleMonitorRAT gives TAs the functionality to manage files in the specific directory of the infected device, as shown below.
The Process Manager menu options show the details of the running process of the infected device, such as Icon, ID, Name, Window Title, Window Handle, and Is64Bit. Figure 9 shows the Process Manager.
The shellcode injection menu option of the EagleMonitorRAT gives attackers an option to perform shellcode injection remotely in the infected device. Refer to Figure 10.
The EagleMonitorRAT has a live keylogger functionality to remotely capture the victim system’s keystrokes. Figure 11 shows the keylogger menu operation of the RAT.
The Remote Desktop functionality captures screenshots of the victim system remotely at predefined intervals. Figure 12 shows the captured screen.
This RAT has a menu option to remotely capture the webcam feed of the infected system as well. Figure 13 shows the webcam panel.
The EagleMonitorRAT has miscellaneous menu options to perform other remote operations such as hiding the taskbar, changing wallpapers, sound management, etc., as shown below.
EagleMonitorRAT also has a menu option to discover the network connection and get the CPU information of the infected system. Figure 15 shows the network connection and CPU information.
The RAT panel has a menu option to remotely shutdown, reboot, log out, BSOD, lock the workstation, hibernate and suspend the victim’s system. Figure 16 showcases these options.
RATs have steadily become stealthier and more efficient with new techniques in place. Various cybercriminals and Advanced Persistent Threat Groups have leveraged RATs in the past.
Cyble has observed data breaches in high-profile organizations due to such threats. Since EagleMonitor is an open-source RAT, it is possible that threat actors could create and deploy custom variations for future attacks. Organizations and individuals should thus continue to follow industry best cybersecurity practices.
- Use strong passwords and enforce multi-factor authentication wherever possible.
- Turn on the automatic software update feature on your computer, mobile, and other connected devices.
- Use a reputed anti-virus and internet security software package on your connected devices, including PC, laptop, and mobile.
- Refrain from opening untrusted links and email attachments without first verifying their authenticity.
- Educate employees in terms of protecting themselves from threats like phishing’s/untrusted URLs.
- Block URLs that could be used to spread the malware, e.g., Torrent/Warez.
- Monitor the beacon on the network level to block data exfiltration by malware or TAs.
- Enable Data Loss Prevention (DLP) Solutions on the employees’ systems.
MITRE ATT&CK® Techniques
|Tactic||Technique ID||Technique Name|
|Create or Modify System Process|
|Credential Access||T1555 |
|Credentials from Password Stores |
Steal Web Session Cookie
Steal Application Access Token
|Screen Capture |
Data from Local System
|Software Discovery |
System Time Discovery
System Service Discovery
File and Directory Discovery
Network Service Scanning
|Command and Control||T1071||Application Layer Protocol|
|Exfiltration||T1041||Exfiltration Over C2 Channel|
Indicators of Compromise (IoCs):
|Eagle Monitor RAT Reborn (x32).exe|
|Eagle Monitor Builder.exe|