Silver RAT Malware Uses Advanced AV Bypass Methods to Carry Out Malicious Actions

Silver RAT, a remote access trojan (RAT) written in C#, has emerged as a potent threat in the cybercrime ecosystem, leveraging sophisticated techniques to evade antivirus (AV) detection and facilitate a broad range of malicious activities.

Initially surfacing in November 2023, the malware was developed and propagated by a threat actor dubbed ‘noradlb1’, who maintains a high profile across several underground forums, including XSS, Darkforum, and TurkHackTeam.

Silver RAT’s adoption has accelerated, particularly following its leak on Telegram and GitHub, making its advanced features accessible to a wider base of cybercriminals.

Technical Capabilities

Silver RAT v1.0 is exclusively Windows-based but is slated to expand into Android platforms, as suggested by recent announcements from its developers.

The RAT’s builder enables attackers to craft customized payloads, with a maximum file size of 50KB, comprising options for AV bypass, keylogging, ransomware-based encryption, and the disabling of system restore points.

Its core evasion strategies include the ability to exclude itself from Windows Defender, delay execution post-installation, and obfuscate processes using user-defined names making detection and analysis substantially more challenging.

The payload is delivered via a .NET executable, typically through social engineering vectors.

Upon execution, the malware requests administrative privileges, momentarily displays a CMD window, and establishes a reverse connection with the attacker’s command-and-control (C2) panel.

The control interface enables threat actors to manage infected systems, exfiltrate data, manipulate files and registry keys, and even control victim browsers and applications covertly.

Notably, the builder incorporates boolean flags such as ‘RuntimeProcessCheckerProtection’ and ‘KillDebuggerProtection’ to detect and terminate analysis or debugging environments, thereby fortifying the malware against reverse engineering and sandbox detonation.

The RAT also maintains a blacklist of known forensic and sandboxing tool processes, terminating execution if any are detected on the target system.

Threat Actor Activity

Silver RAT’s developers, operating under the broader collective ‘Anonymous Arabic’, have expanded their operations by running Telegram channels boasting over 1,700 combined members.

According to Cyfirma Report, they actively market cracked RATs, leaked databases, and carding services, and offer social media automation tools to amplify their outreach.

The ease of access to Silver RAT v1.0 now freely available on Telegram, underground forums, and GitHub has significantly lowered the barrier to entry for cybercriminals.

Financial transactions linked to the threat actors exhibit a diverse portfolio of wallets, with over $2,200 USD in transfers in late December 2023 alone, spanning cryptocurrencies like Bitcoin, Ethereum, and USDT (Tether).

Attribution efforts link the core developer to Damascus, Syria, and suggest a history of involvement in gaming cheats and other forms of digital manipulation.

Silver RAT’s rapid proliferation, coupled with its developer’s intent to release multi-platform (Windows and Android) payloads, underscores a growing risk for both individuals and organizations.

The malware’s free availability, combined with detailed operational guidance, suggests a potential uptick in RAT-driven campaigns leveraging its stealth and destructive capabilities.

Organizations are urged to adopt rigorous endpoint detection and response (EDR), behavioral analytics, regular patching, and comprehensive security awareness training to counter this evolving threat.

Indicators of Compromise (IOC)

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.