DeedRAT: Unpacking a Modern Backdoor's Playbook

Description

DeedRAT is a sophisticated backdoor associated with the Chinese APT group Salt Typhoon, targeting critical sectors globally. It infiltrates systems through phishing campaigns, utilizing DLL sideloading to evade detection. The malware establishes persistence via registry run keys and service creation, ensuring long-term access. DeedRAT's capabilities include file manipulation, system reconnaissance, and payload execution. The infection chain involves three files: a legitimate executable, a malicious DLL, and an encrypted file. Once installed, it attempts to connect to its command-and-control server. Defensive measures include monitoring email traffic, registry changes, and anomalous service creations.