OZH RAT - New .NET malware

Introducing a new remote access tool (RAT) I recently discovered:

IOCs in my OTX feed for this threat have been attached here.

More info:

Florian Roth's THOR APT Scanner picked it up early on:

Windows Forms & System Configuration checks:

OZH RAT is a new malware as far as I can tell. I would be very much interested if another security researcher is able to investigate or share samples of OZH RAT for further malware analysis.

Updated - 2nd June 2020:

The key features of the OZH RAT from the website include: 
- Live Screen Monitoring
- Command-line access (cmd, PowerShell) 
- Lock computer screen 
- Shutdown/Reboot 
- Message Alert box
- Find geo-location
- Clone system 
- Control Panel notification when the infected device is turned on
- FTP communication


Popular posts from this blog

Raspberry Robin: A global USB malware campaign providing access to ransomware operators

Tracking Adversaries: Scattered Spider, the BlackCat affiliate

Lessons from the iSOON Leaks