A newly uncovered malware campaign is targeting financial institutions, particularly trading and brokerage firms, with a previously unknown Remote Access Trojan (RAT) named GodRAT.

Malware Delivered Through Disguised Files

According to a technical report by Kaspersky researcher Saurabh Sharma, attackers are distributing malicious .SCR files—masquerading as financial documents—via Skype Messenger. These files, disguised as screensavers, are used as the delivery mechanism for the trojan.

Use of Steganography for Concealment

The campaign employs steganography, a method of hiding malicious code inside image files. Once executed, the shellcode embedded within the images downloads GodRAT from a command-and-control (C2) server. Evidence shows that the activity has been ongoing since at least September 2024, with infections reported across Hong Kong, UAE, Lebanon, Malaysia, and Jordan.

Based on Gh0st RAT Legacy Code

GodRAT appears to be derived from Gh0st RAT, a well-known malware whose source code was leaked in 2008. Its modular, plugin-based architecture allows attackers to:

• Exfiltrate sensitive system data
• Deploy secondary payloads like AsyncRAT
• Steal browser credentials from Google Chrome and Microsoft Edge

Researchers believe this campaign may be linked to APT41 (Winnti), a prolific Chinese state-sponsored group, and builds upon a 2023 backdoor called AwesomePuppet, also Gh0st RAT–based.

Technical Breakdown of the Infection

The infected .SCR files act as self-extracting executables. They sideload a malicious DLL via a legitimate binary, which extracts hidden shellcode from a .JPG file. This paves the way for GodRAT to establish persistence and communicate with its C2 infrastructure using TCP protocol.

Once active, the malware is capable of:

• Gathering system and antivirus information
• Injecting plugin DLLs into memory
• Downloading and executing files from attacker-controlled URLs
• Opening URLs through Internet Explorer for additional payload delivery

One of the plugins, FileManager DLL, enables attackers to browse the file system, manipulate files, and run targeted searches, significantly increasing the impact of the compromise.

Builder and Customization Options

Interestingly, researchers also discovered the full source code for GodRAT on VirusTotal (July 2024). The malware builder gives attackers flexibility, allowing them to inject code into common binaries such as svchost.exe, cmd.exe, cscript.exe, curl.exe, wscript.exe, QQMusic.exe, and QQScLauncher.exe. Final payloads can be saved under multiple file types: .exe, .com, .bat, .scr, and .pif.

Long-Standing Code, Modern Threats

Kaspersky highlights that despite being almost two decades old, Gh0st RAT continues to serve as the foundation for new malware families. Its adaptability makes it a preferred tool for advanced threat actors, demonstrating how legacy malware frameworks remain a persistent threat in today’s cybersecurity landscape.

Source: https://thehackernews.com/2025/08/new-godrat-trojan-targets-trading-firms.html