According to a post published on AlienVault’s blog, the RAT does share some commonalities with njrat:
“Like njrat, the infected victims of KilerRat when connecting to the C&C will send information about the victim system, malware version, open windows, etc.,” writes AlienVault researcher Peter Ewane. “This information check-in is extremely similar to that of many of the njrat variants.”
Where KilerRat distinguishes itself, however, is its variety of abilities, a multi-functionality which is quickly gaining the tool popularity within the Middle Eastern hacking world.
Under the Command and Control (C&C) server, for example, an operator can initiate the following commands, among others:
- File Manger – Allows the attacker to edit, create, delete, copy, or download new files/folders.
- Remote Desktop – Allows the attacker to begin a Remote Desktop session.
- Get Passwords – Allows the attacker to save passwords that have been stored in several browsers.
- Send Msgbox From Link – Allows the attacker to provide a link to a file and execute it on the infected machine
- Format System: Open/Block Website – Allows an attacker to open or block a website of their choosing.
- DDoS Attack – Allows the attacker to perform a DDoS attack according to specifications of their choosing.
Though it is based upon njrat, many anti-virus companies appear – at the time of writing – to be doing a poor job of identifying the malware.
Ewane does point out, however, that using YARA rules for njrat as well as a signature-based IDS tool could reveal a KilerRat infection more consistently.
As noted by Softpedia, one of the most interesting features of this RAT is not anything malicious but instead the fact that the malware’s author provides a link in the tool’s “About” section to a Facebook profile.
The Facebook profile gives the author’s name as “Ahmed Ibrahim”.
Most of the comments on Ibrahim’s Facebook posts thank the hacker for producing KilerRat or ask that additional features be included.
A closer look of his posts reveals that Ibrahim released KillerRat version 4.0.1 (the latest detected) on October 30, version 3.1.6 on October 23, and version 2.9.6 on October 18. It is also apparent that Ibrahim might be working on a new tool called the Wedges Worm.
When it comes to new tools and exploits, bravado is never hard to find in the hacking world. Perhaps Ibrahim’s decision to post his Facebook profile will come back to bite him in the end.
In the meantime, please install a security solution and never click on suspicious links.
Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.