In March 2023, we have observed a new APT malware used by an unknown APT actor in several Japanese companies. The malware is a modular remote access trojan (RAT) like PlugX or ShadowPad which have been shared among China-based APT actors and used in various campaigns. We named this malware “RatelS” based on the strings contained in the file path and window title.
RatelS has 11 malicious modules, including command execution, file manipulation, and keylogging, which can be dynamically loaded and unloaded in response to commands from the C2 server. Also, this RAT has two communication capabilities with different directions: Reverse mode and Listen mode. The former callbacks from the infected host to the C2 server, while the latter opens a port and listens for connections. The C2 communication is performed via TCP, TLS, HTTP, or HTTPS.
During the investigation of RatelS incident, we discovered a builder and controller that can build RatelS by simply selection options and remotely operate infected machines. It is notable that RatelS has some similarities with PlugX in its implemented features and code, and moreover this actor also utilized PlugX with P2P communication functionality in the campaign. This suggests the possibility that RatelS is a successor to PlugX.
In this presentation, we are going to share technical details on the analysis result of new malware RatelS, the similarities with PlugX, and the methods to detect and response the malware activity for future prevention. This includes the demonstration of RatelS C2 operation using the builder and controller. In addition to that, we will indicate attribution of APT actors using RatelS based on other similar malware.