Cybersecurity researchers have flagged a novel Java-based remote access trojan (RAT) called QuimaRAT that’s capable of targeting Windows, Linux, and macOS environments.
According to LevelBlue, the cross-platform malware is advertised under a malware-as-a-service (MaaS) model, costing anywhere between $150 for one month to $1,200 for lifetime access. Other subscription tiers include $300 for three months, $500 for six months, and $700 for twelve months.
“Built around a modular architecture, the RAT supports dynamic capability expansion through encrypted plugins that can be delivered, loaded, unloaded, and updated directly from its command-and-control (C2) infrastructure,” the cybersecurity company said in an analysis of the malware.
The malware author also advertises a builder capable of generating multiple output formats, including JAR, EXE, APP, SH, BAT, and VBS, indicating an attempt to help prospective customers package the client tailored for different environments and delivery scenarios.
The seller’s post guarantees complete stealth on Windows and Linux, noting there are no visible user interface elements or desktop entries. On macOS, however, the threat actor includes a caveat that certain features like screen capture and input control require “user-granted admin permissions.”
Visiting their website, users are greeted by a pop-up message that states the platform “provides offensive security tooling intended exclusively for professional security research, authorized penetration testing, and controlled educational environments,” warning them against using it for “malicious, unauthorized, or illegal purposes.”
In all, the threat actor offers four tools –
- Quima Control (aka QuimaRAT), a remote administration tool with 74 Windows and 46 macOS and Linux modules
- Quima Builder, a modular builder and launcher toolkit with support for XLL, LNK, VBS, JS, BAT, DOCM, XLSM, MSC, CPL, and CHM file formats
- Quima Loader, a browser-cache payload delivery service to stage and deliver the malware payload
- Quima Dropper, an HTML/SVG payload generator
Quima Loader, particularly, is noteworthy, as it allows an operator to upload an EXE file through a dedicated panel and select a delivery format (e.g., HTA or LNK) and a landing page template (e.g., fake CAPTCHA check or software update alerts), after which the tool generates a stager link that, when opened by the victim in the browser, initiates the following sequence of actions, per the malware developer –
- The landing page is loaded, and the payload is fetched and held in the browser cache.
- A Download button appears on the page.
- Clicking it saves a “small, clean loader file” that’s trusted by the browser.
- Target runs the loader, which reads the cached payload.
- The main payload gets executed on the system, while bypassing SmartScreen protections on Windows.
“A RAT, a builder suite, a web loader, and an HTML dropper — each built around what Windows already trusts,” the author…
Source link
Disclaimer
We strive to uphold the highest ethical standards in all of our reporting and coverage. We blogs.grocliq.com want to be transparent with our readers about any potential conflicts of interest that may arise in our work. It’s possible that some of the investors we feature may have connections to other businesses, including competitors or companies we write about. However, we want to assure our readers that this will not have any impact on the integrity or impartiality of our reporting. We are committed to delivering accurate, unbiased news and information to our audience, and we will continue to uphold our ethics and principles in all of our work. Thank you for your trust and support.
Website Upgradation is going on for any glitch kindly connect at [email protected]
