RATicate Group Hits Industrial Firms With Revolving Payloads

RATicate malware group

A new threat group uses NSIS as an installer to target industrial companies with revolving payloads, including LokiBot, FormBook, BetaBot, Agent Tesla and Netwire.

Researchers have unearthed a new cybercrime group, RATicate, which is behind several waves of malspam attacks targeting industrial companies with various information-stealing payloads – from LokiBot to Agent Tesla.

At least six separate campaigns have been tied to RATicate, with the first wave starting November and the most recent spotted in March. All campaigns leveraged Nullsoft Scriptable Install System (NSIS), a legitimate, open-source tool used to create Windows installers, to ultimately drop various remote access trojans (RATs) on victims’ systems.

More recently, “a new campaign we believe connected to the same actors leverages concern about the global COVID-19 pandemic to convince victims to open the payloads,” said Markel Picado, threat researcher with SophosLabs, in a Thursday analysis. “This is a shift in tactics, but we suspect that this group constantly changes the way they deploy malware — and that the group has conducted campaigns prior to this past November.”

RATicate (a combination of “RAT” and “syndicate”) has specifically targeted industrial firms in Europe, the Middle East and the Republic of Korea with malspam emails. The lures have varied, with some purporting to concern balance payments and asking victims to check the attached bank confirmation; and more recent ones leveraging coronavirus concerns.

NSIS Installer

Once a victim opens the attached document (which varies between campaigns and included .ZIP, .IMG, .UDF, .RTF and .XLS files), the campaign then made use of an NSIS installer. The open-source tool for creating Windows installers, designed for internet-based software distribution, is backed by Nullsoft, the creators of Winamp. It has long been abused by bad actors to disguise and deploy malware.

NSIS installers utilize a plugin architecture, which allows them to communicate with various software components (including Windows OS components, which are deployed as Windows DLL files). These plugins then provide various capabilities, including killing processes, executing command line-based programs, dynamically decompressing files or loading a DLL and calling to its exports. The latter is utilized in this campaign — the NSIS installers all use a System.dll plugin, which then allows attackers to load a DLL and call its exported functions.

Researchers said the installers used in these particular campaigns caught their attention because they all dropped the same set of ‘junk files’ (files that are never actually used by the installed malware), presumably as an anti-analysis method.

“We’ve seen the tactic of packing NSIS installers with garbage files to conceal malware in the past; the junk files are intended to confuse analysts and create ‘noise’ during sandbox analysis,” said researchers.

Once called by the installers, the malicious DLL then acts as the loader – it is used to begin decryption of the malicious payload, and then finally to inject malicious payloads into memory while the NSIS layer drops the junk files.

Revolving Payloads

Researchers said that the payloads of the installers they examined vary: “During analysis of the samples we collected — conducted both manually and with the aid of sandboxing tools — we found several different families of RATs and infostealers,” they said.


The campaigns seem interconnected — click to enlarge.

These payloads include Lokibot, an infostealer that lifts a variety of credentials from the user’s system — including FTP credentials, stored email passwords, passwords stored in the browser and others; BetaBot, which has been described as  rootkit-based financial malware; and Formbook, a browser form-stealer and keylogger first discovered in 2016.

Also dropped in the campaigns is Agent Tesla, a spyware with capabilities to extract credentials, copy clipboard data, perform screen captures, form-grabbing and keylogging functionality, and collect credentials for a variety of installed applications; and Netwire, a RAT focused on stealing credential information, logging keystrokes and stealing hardware information.

Based on RATicate’s behavior, researchers said they’re unsure of whether the group is focused on corporate espionage or is simply acting as a malware-as-a-service provider for other threat actors.

“It could simply be that they are dropping malware on targeted companies in order to provide paid access to others, or are using infostealer and RAT malware as part of a larger malware distribution effort,” said researchers. “We continue to analyze the new attacks and hope to get deeper insight into their motivations.”

RATicate: Campaign Similarities

However, researchers pinpointed several similarities between the six campaigns that led them to believe the same threat actor was behind them all. For one, the initial malspam emails targeted the same companies throughout the different campaign iterations, and all the campaigns observed thus far have been launched in distinct, separate clusters.


An overview of the recent, related campaigns — click to enlarge.

At least nine companies have been specifically targeted, including an electrical equipment manufacturer in Romania, a Kuwaiti construction services and engineering company, a Korean internet company and a Korean telecommunications and electrical cable manufacturer.

Researchers also pointed to similar payloads (Betabot and Lokibot) being used throughout the campaigns; and frequent duplications of the same command-and-control (C2) server. For instance, the Betabot malware’s C2 server was used at least twice during the various campaigns.

“These campaigns didn’t just share command-and-control infrastructure across different payloads within the same campaign,” said researchers. “Some of the infrastructure was also shared across multiple campaigns, which also suggests the same actor was involved across all of them.”

Concerned about the IoT security challenges businesses face as more connected devices run our enterprises, drive our manufacturing lines, track and deliver healthcare to patients, and more? On June 3 at 2 p.m. ET, join renowned security technologist Bruce Schneier, Armis CISO Curtis Simpson and Threatpost for a FREE webinar, Taming the Unmanaged and IoT Device Tsunami. Get exclusive insights on how to manage this new and growing attack surface. Please register here for this sponsored webinar.

Suggested articles