OZH RAT - New .NET malware



Introducing a new remote access tool (RAT) I recently discovered:


IOCs in my OTX feed for this threat have been attached here.

More info:


Florian Roth's THOR APT Scanner picked it up early on:

Windows Forms & System Configuration checks:



OZH RAT is a new malware as far as I can tell. I would be very much interested if another security researcher is able to investigate or share samples of OZH RAT for further malware analysis.

Updated - 2nd June 2020:

The key features of the OZH RAT from the website include: 
- Live Screen Monitoring
- Command-line access (cmd, PowerShell) 
- Lock computer screen 
- Shutdown/Reboot 
- Message Alert box
- Find geo-location
- Clone system 
- Control Panel notification when the infected device is turned on
- FTP communication

YARA:

Popular posts from this blog

Deep-dive: The DarkHotel APT

Turkey targeted by Cerberus and Anubis Android banking Trojan campaigns

My first year in Cyber Threat Intelligence