The RAT race: What happens when RATs go undetected

Description

This analysis explores a sophisticated cyberattack attempt involving multiple Remote Access Tools (RATs) and a stealer. The attack chain begins with an email containing an exploit for CVE-2024-38213, bypassing Windows' Mark of the Web security feature. The malware uses WebDav directories and Cloudflare's free tunnel service to host and execute various RATs, including DcRAT, AsyncRAT, and XWorm, as well as the PureLog Stealer. The payloads are delivered through obfuscated batch files and compiled Python scripts, using memory-only execution techniques to evade detection. The attackers employ multiple C2 domains using the DuckDNS service, pointing to IP addresses in the U.S. The analysis highlights the importance of early threat detection in preventing potential ransomware deployment or data exfiltration.