In early Could 2025, cybersecurity researchers started monitoring a novel Distant Entry Trojan (RAT) concentrating on Chinese language-speaking customers through phishing websites hosted on GitHub Pages.
Masked as authentic installers for in style functions, the preliminary ZIP archives contained malicious executables engineered to bypass sandbox and digital machine defenses.
As soon as executed, the first-stage shellcode performs time stability evaluation utilizing QueryPerformanceCounter and examines {hardware} configurations—disk area and CPU cores—to establish evaluation environments and terminate if suspicions come up.
Assault chain (Supply – Zscaler)
This meticulous evasion technique ensures that kkRAT not often triggers alerts throughout automated detonation.
Over the following levels, kkRAT deploys superior anti-analysis strategies, dynamically resolving Home windows API features via single-byte XOR obfuscation and decrypting subsequent shellcodes with easy XOR transforms.
Within the second stage, the malware unloads and disables community adapters to sever AV/EDR communications, enumerates processes related to Chinese language safety distributors, and employs a weak driver (RTCore64.sys) to take away registered callbacks from kernel-mode defenses.
Zscaler analysts famous that kkRAT even alters registry values for 360 Complete Safety to disable community checks and schedules duties underneath SYSTEM privileges to repeatedly kill safety processes upon consumer logon.
By the third stage, kkRAT retrieves a closely obfuscated shellcode named 2025.bin from hardcoded URLs, decodes Base64-encoded directions in output.log, and selects obtain URLs primarily based on the sufferer course of’s filename.
The extracted archives include authentic executables sideloaded with malicious DLLs that decrypt the ultimate payload—kkRAT itself—utilizing a six-byte XOR key at offset 0xD3000.
Zscaler researchers recognized this seamless use of sideloading to deploy a number of RAT variants, together with ValleyRAT and FatalRAT, however the newly found kkRAT blended options from each Ghost RAT and Huge Dangerous Wolf.
In its operation, kkRAT establishes a TCP connection to its command-and-control server, compresses knowledge through zlib, and applies a further XOR-based encryption layer.
Phishing web page impersonating Ding Discuss (Supply – Zscaler)
A pattern Python snippet used to decrypt captured visitors demonstrates this two-phase course of:-
import zlib
def decrypt_packet(knowledge, key):
compressed = bytes(b ^ key for b in knowledge)
return zlib.decompress(compressed)
An infection Mechanism
Upon execution of the sideloaded DLL, kkRAT reads its encrypted configuration—C2 IP, port, model, and group identifier—and constructs a REGISTRATIONINFO struct containing detailed gadget fingerprints corresponding to OS model, CPU frequency, reminiscence measurement, put in antivirus signatures, and the presence of messaging functions.
This thorough profile permits attackers to prioritize high-value targets. Uniquely, kkRAT inspects the clipboard for cryptocurrency pockets addresses (Bitcoin, Ethereum, Tether) and replaces them with attacker-controlled addresses through the 0x4D command, a tactic designed to hijack transactions silently.
As soon as persistence is established via startup folder shortcuts or registry run keys, kkRAT stays resident, awaiting additional directions to load plugins—starting from distant desktop administration to course of termination—and relay community visitors via Go-based SOCKS5 proxies.
By way of its layered encryption, subtle anti-analysis checks, and monetary theft capabilities, kkRAT represents a major evolution in commodity RAT toolkits, underscoring the persistent menace of supply-chain fashion malware supply.
Increase your SOC and assist your crew shield your corporation with free top-notch menace intelligence: Request TI Lookup Premium Trial.
