Security experts have identified a new Java-based remote access trojan (RAT) known as QuimaRAT, which poses threats to Windows, Linux, and macOS systems. This malware is marketed as a malware-as-a-service (MaaS) and offers various subscription options, ranging from $150 for a month to $1,200 for lifetime access, with intermediate pricing for other durations.
Features and Functionality of QuimaRAT
QuimaRAT is built on a modular framework, which allows its capabilities to be expanded through encrypted plugins, managed via its command-and-control (C2) infrastructure. The malware’s creator offers a builder to produce multiple output formats like JAR, EXE, APP, SH, BAT, and VBS, enabling users to customize the malware for specific environments and delivery methods.
The malware is advertised to operate stealthily on Windows and Linux, with no visible user interface elements. However, on macOS, some features require user-granted administrative permissions. The platform’s website claims it is intended for legitimate security research and warns against illegal use.
QuimaRAT Tools and Delivery Mechanisms
QuimaRAT includes four main tools: Quima Control, Quima Builder, Quima Loader, and Quima Dropper. The Quima Loader is particularly significant as it enables the upload of an EXE file, selecting a delivery format and landing page template to generate a stager link. Once accessed by the victim, the malware payload is executed while bypassing Windows’ SmartScreen.
The malware suite is developed as a modular Java project, with embedded native libraries for various operating systems. It uses these components to interact with operating system APIs, supporting wide multi-platform deployment. A lock file mechanism ensures only one instance runs at a time.
Persistence and Command Capabilities
QuimaRAT employs several methods for persistence, such as Registry Run keys and Scheduled tasks on Windows, autostart entries on Linux, and LaunchAgent plist files on macOS. It features a C2 host update mechanism via Pastebin, allowing dynamic infrastructure changes without modifying the payload.
The RAT supports remote command execution, payload delivery, credential theft, and more, providing attackers with extensive control over infected systems. It also enables fileless shellcode execution on Windows and maintains communication with C2 servers through robust recovery mechanisms.
Overall, QuimaRAT presents a significant threat due to its modular design and cross-platform compatibility, offering a persistent and adaptable tool for cybercriminals. Security researchers highlight its advanced obfuscation techniques and dynamic capabilities, underscoring the need for vigilant cybersecurity practices.
