Threat Management, Threat Intelligence, Malware

Saefko RAT peeks at browser histories to help adversaries form optimal attack plan

Researchers have discovered a new remote access trojan that rummages through an infected device's Chrome browser history to determine which websites the user has visited, allowing adversaries to formulate an optimal attack strategy based on that information.

Dubbed Saefko, the RAT looks for at least 70 different websites affiliated with credit cards, at least 26 related to gaming activity, at least 71 pertaining to cryptocurrency value, at least 54 shopping and retail sites, and at least 30 business and finance sites, plus activity on Instagram, Facebook, YouTube, Google+ and Gmail.

The malware also gathers user application data, including details related to the Internet Relay Chat protocol, machine architecture, geographic location of the system, and the number of times the user has visited specific websites (e.g. Instagram and Gmail) or categories of websites (e.g. gaming sites and shopping sites). All of this information is that exfiltrated to the command-and-control server.

Written in .NET, the malware is capable of accessing and exfiltrating sensitive information, keylogging, capturing screenshots, activating the webcam, formatting drives, downloading additional programs, and more, according to Zscaler ThreatLabZ team researchers, who discovered the threat for sale on the dark web.

"One online forum has an ad for a cracked Saefko RAT tool," states an Aug. 8 blog post authored by security researchers Rajdeepsinh Dodia and Priyanka Bhati. "It is a multi-protocol, multi-operating system remote administration tool that can be used to launch the malware on Windows and Android devices."

Saefko contains four individual infection models, Zscaler further explains in its report. For starters, the HTTP Clinet (a likely misspelling of "Client") establishes communications and task requests between the infected machine and the C2 server. The other modules include the keylogger; the IRC Helper, which creates a malicious IRC connection for performing various commands; and the Start USB Service, which downloads the malware onto any connected removable drives, thus allowing Saefko to spread when those drives are plugged into other machines.

"To protect systems from RATs, users must refrain from downloading programs or opening attachments that aren't from a trusted source," the blog post concludes. "At the administrative level, it's always a good idea to block unused ports, turn off unused services, and monitor outgoing traffic."

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.