OZH RAT - New .NET malware
Introducing a new remote access tool (RAT) I recently discovered: Filenames include ‘OzhSecSys.exe’ or ‘system.exe’. Interestingly, the IP address used to host the OZH RAT domain (185[.]176.43[.]94) is used in prior #Konni attack campaigns, but is not thought to be connected to the North Korean APT. #OZHRAT IOCs: https://t.co/B5KNjQBWUX — Will | BushidoToken 👁🗨 (@BushidoToken) May 28, 2020 Malpedia link: https://malpedia.caad.fkie.fraunhofer.de/details/win.ozh_rat IOCs in my OTX feed for this threat have been attached here . More info: Florian Roth's THOR APT Scanner picked it up early on: Windows Forms & System Configuration checks: OZH RAT is a new malware as far as I can tell. I would be very much interested if another security researcher is able to investigate or share samples of OZH RAT for further malware analysis. Updated - 2nd June 2020: I recently discovered the OZH RAT #crimware website, which is written in Turkish. The #malware has an exceptionally ...