BitRAT (Malware Family)

SYMBOL	COMMON_NAME	aka. SYNONYMS

win.bit_rat (Back to overview)

BitRAT

VTCollection

According to Bitdefender, BitRAT is a notorious remote access trojan (RAT) marketed on underground cybercriminal web markets and forums. Its price tag of $20 for lifetime access makes it irresistible to cybercriminals and helps the malicious payload spread.

Furthermore, each buyer’s modus operandi makes BitRAT even harder to stop, considering it can be employed in various operations, such as trojanized software, phishing and watering hole attacks.

BitRAT’s popularity arises from its versatility. The malicious tool can perform a wide range of operations, including data exfiltration, UAC bypass, DDoS attacks, clipboard monitoring, gaining unauthorized webcam access, credential theft, audio recording, XMRig coin mining and generic keylogging.

References

2024-05-29 ⋅ eSentire ⋅ eSentire
Fake Browser Updates delivering BitRAT and Lumma Stealer
BitRAT Lumma Stealer

2023-09-08 ⋅ Gi7w0rm
Uncovering DDGroup — A long-time threat actor
AsyncRAT Ave Maria BitRAT DBatLoader NetWire RC Quasar RAT XWorm

2023-08-01 ⋅ Palo Alto Networks Unit 42 ⋅ Lior Rochberger
NodeStealer 2.0 – The Python Version: Stealing Facebook Business Accounts
BitRAT NodeStealer XWorm

2023-01-03 ⋅ Qualys ⋅ Akshat Pradhan
BitRAT Now Sharing Sensitive Bank Data as a Lure
BitRAT

2022-05-20 ⋅ SANS ISC ⋅ Xavier Mertens
A 'Zip Bomb' to Bypass Security Controls & Sandboxes
BitRAT

2022-05-19 ⋅ Blackberry ⋅ The BlackBerry Research & Intelligence Team
.NET Stubs: Sowing the Seeds of Discord (PureCrypter)
Aberebot AbstractEmu AdoBot 404 Keylogger Agent Tesla Amadey AsyncRAT Ave Maria BitRAT BluStealer Formbook LimeRAT Loki Password Stealer (PWS) Nanocore RAT Orcus RAT Quasar RAT Raccoon RedLine Stealer WhisperGate

2022-05-12 ⋅ FortiGuard Labs ⋅ Xiaopeng Zhang
Phishing Campaign Delivering Three Fileless Malware: AveMariaRAT / BitRAT / PandoraHVNC – Part I
Ave Maria BitRAT Pandora RAT

2022-05-10 ⋅ Checkpoint ⋅ Checkpoint
Info-stealer Campaign targets German Car Dealerships and Manufacturers
Azorult BitRAT Raccoon

2022-03-22 ⋅ Bitdefender ⋅ Vlad Constantinescu
BitRAT Malware Seen Spreading Through Unofficial Microsoft Windows Activators
BitRAT

2022-03-21 ⋅ AhnLab ⋅ ASEC Analysis Team
BitRAT Disguised as Windows Product Key Verification Tool Being Distributed
BitRAT TinyNuke

2022-03-21 ⋅ Bleeping Computer ⋅ Bill Toulas
BitRAT malware now spreading as a Windows 10 license activator
BitRAT

2022-02-14 ⋅ Morphisec ⋅ Arnold Osipov, Hido Cohen
Journey of a Crypto Scammer - NFT-001
AsyncRAT BitRAT Remcos

2022-02-14 ⋅ Fortinet ⋅ Fred Gutierrez, James Slaughter, Shunichi Imano
NFT Lure Used to Distribute BitRAT
BitRAT

2022-02-07 ⋅ RiskIQ ⋅ RiskIQ
RiskIQ: Malicious Infrastructure Connected to Particular Windows Host Certificates
AsyncRAT BitRAT Nanocore RAT

2022-01-23 ⋅ forensicitguy ⋅ Tony Lambert
HCrypt Injecting BitRAT using PowerShell, HTAs, and .NET
BitRAT

2022-01-09 ⋅ YouTube (0xca7) ⋅ 0xca7
Cat vs. RAT II - Bitrat
BitRAT

2021-11-23 ⋅ Morphisec ⋅ Arnold Osipov, Hido Cohen
Babadeda Crypter targeting crypto, NFT, and DeFi communities
Babadeda BitRAT LockBit Remcos

2021-09-20 ⋅ Trend Micro ⋅ Aliakbar Zahravi, William Gamazo Sanchez
Water Basilisk Uses New HCrypt Variant to Flood Victims with RAT Payloads
Ave Maria BitRAT LimeRAT Nanocore RAT NjRAT Quasar RAT

2021-09-13 ⋅ Trend Micro ⋅ Daniel Lunghi, Jaromír Hořejší
APT-C-36 Updates Its Spam Campaign Against South American Entities With Commodity RATs (IOCs)
AsyncRAT Ave Maria BitRAT Imminent Monitor RAT LimeRAT NjRAT Remcos

2021-09-13 ⋅ Trend Micro ⋅ Daniel Lunghi, Jaromír Hořejší
APT-C-36 Updates Its Spam Campaign Against South American Entities With Commodity RATs
AsyncRAT Ave Maria BitRAT Imminent Monitor RAT LimeRAT NjRAT Remcos

2021-09-03 ⋅ Trend Micro ⋅ Mohamad Mokbel
The State of SSL/TLS Certificate Usage in Malware C&C Communications
AdWind ostap AsyncRAT BazarBackdoor BitRAT Buer Chthonic CloudEyE Cobalt Strike DCRat Dridex FindPOS GootKit Gozi IcedID ISFB Nanocore RAT Orcus RAT PandaBanker Qadars QakBot Quasar RAT Rockloader ServHelper Shifu SManager TorrentLocker TrickBot Vawtrak Zeus Zloader

2021-07-12 ⋅ Cipher Tech Solutions ⋅ Claire Zaboeva, Dan Dash, Melissa Frydrych
RoboSki and Global Recovery: Automation to Combat Evolving Obfuscation
404 Keylogger Agent Tesla AsyncRAT Ave Maria Azorult BitRAT Formbook HawkEye Keylogger Loki Password Stealer (PWS) Nanocore RAT NetWire RC NjRAT Quasar RAT RedLine Stealer Remcos

2021-07-12 ⋅ IBM ⋅ Claire Zaboeva, Dan Dash, Melissa Frydrych
RoboSki and Global Recovery: Automation to Combat Evolving Obfuscation
404 Keylogger Agent Tesla AsyncRAT Ave Maria Azorult BitRAT Formbook HawkEye Keylogger Loki Password Stealer (PWS) Nanocore RAT NetWire RC NjRAT Quasar RAT RedLine Stealer Remcos

2021-03-17 ⋅ HP ⋅ HP Bromium
Threat Insights Report Q4-2020
Agent Tesla BitRAT ComodoSec Dridex Emotet Ficker Stealer Formbook Zloader

2021-02-16 ⋅ Check Point ⋅ Check Point Research
ApoMacroSploit: Apocalyptical FUD race
BitRAT

2021-01-22 ⋅ Github (Finch4) ⋅ Finch
Malware Analysis Report No2
BitRAT

2020-09-04 ⋅ KrabsOnSecurity ⋅ Mr. Krabs
BitRAT pt. 2: Hidden Browser, SOCKS5 proxy, and UnknownProducts Unmasked
BitRAT WebMonitor RAT

2020-08-22 ⋅ KrabsOnSecurity ⋅ Mr. Krabs
BitRAT – The Latest in Copy-pasted Malware by Incompetent Developers
BitRAT

Yara Rules

[TLP:WHITE] win_bit_rat_auto (20241030 | Detects win.bit_rat.)

rule win_bit_rat_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2024-10-31"
        version = "1"
        description = "Detects win.bit_rat."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.bit_rat"
        malpedia_rule_date = "20241030"
        malpedia_hash = "26e26953c49c8efafbf72a38076855d578e0a2e4"
        malpedia_version = "20241030"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { e8???????? 8b37 8bce 6a01 e8???????? 6a01 8bce }
            // n = 7, score = 200
            //   e8????????           |                     
            //   8b37                 | mov                 esi, dword ptr [edi]
            //   8bce                 | mov                 ecx, esi
            //   6a01                 | push                1
            //   e8????????           |                     
            //   6a01                 | push                1
            //   8bce                 | mov                 ecx, esi

        $sequence_1 = { e8???????? 6a30 56 e8???????? 83c408 c645fc07 8b4578 }
            // n = 7, score = 200
            //   e8????????           |                     
            //   6a30                 | push                0x30
            //   56                   | push                esi
            //   e8????????           |                     
            //   83c408               | add                 esp, 8
            //   c645fc07             | mov                 byte ptr [ebp - 4], 7
            //   8b4578               | mov                 eax, dword ptr [ebp + 0x78]

        $sequence_2 = { eb09 6a00 6a00 68a7000000 68a4000000 6a22 e8???????? }
            // n = 7, score = 200
            //   eb09                 | jmp                 0xb
            //   6a00                 | push                0
            //   6a00                 | push                0
            //   68a7000000           | push                0xa7
            //   68a4000000           | push                0xa4
            //   6a22                 | push                0x22
            //   e8????????           |                     

        $sequence_3 = { f6401408 743e 83790400 7538 3bcd 742d 8b4110 }
            // n = 7, score = 200
            //   f6401408             | test                byte ptr [eax + 0x14], 8
            //   743e                 | je                  0x40
            //   83790400             | cmp                 dword ptr [ecx + 4], 0
            //   7538                 | jne                 0x3a
            //   3bcd                 | cmp                 ecx, ebp
            //   742d                 | je                  0x2f
            //   8b4110               | mov                 eax, dword ptr [ecx + 0x10]

        $sequence_4 = { 8b450c 895ddc 8b5d08 2bdf 1bc1 8b4ddc 8945f0 }
            // n = 7, score = 200
            //   8b450c               | mov                 eax, dword ptr [ebp + 0xc]
            //   895ddc               | mov                 dword ptr [ebp - 0x24], ebx
            //   8b5d08               | mov                 ebx, dword ptr [ebp + 8]
            //   2bdf                 | sub                 ebx, edi
            //   1bc1                 | sbb                 eax, ecx
            //   8b4ddc               | mov                 ecx, dword ptr [ebp - 0x24]
            //   8945f0               | mov                 dword ptr [ebp - 0x10], eax

        $sequence_5 = { 8945fc 8d7e10 51 51 57 8945f0 e8???????? }
            // n = 7, score = 200
            //   8945fc               | mov                 dword ptr [ebp - 4], eax
            //   8d7e10               | lea                 edi, [esi + 0x10]
            //   51                   | push                ecx
            //   51                   | push                ecx
            //   57                   | push                edi
            //   8945f0               | mov                 dword ptr [ebp - 0x10], eax
            //   e8????????           |                     

        $sequence_6 = { b9d7505e03 2bc8 83f901 7234 2b1f 8d7001 8bc3 }
            // n = 7, score = 200
            //   b9d7505e03           | mov                 ecx, 0x35e50d7
            //   2bc8                 | sub                 ecx, eax
            //   83f901               | cmp                 ecx, 1
            //   7234                 | jb                  0x36
            //   2b1f                 | sub                 ebx, dword ptr [edi]
            //   8d7001               | lea                 esi, [eax + 1]
            //   8bc3                 | mov                 eax, ebx

        $sequence_7 = { ff742420 52 e8???????? 83c414 85c0 7422 5f }
            // n = 7, score = 200
            //   ff742420             | push                dword ptr [esp + 0x20]
            //   52                   | push                edx
            //   e8????????           |                     
            //   83c414               | add                 esp, 0x14
            //   85c0                 | test                eax, eax
            //   7422                 | je                  0x24
            //   5f                   | pop                 edi

        $sequence_8 = { e8???????? 83c40c 85d2 7f06 7ce5 85c0 72e1 }
            // n = 7, score = 200
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc
            //   85d2                 | test                edx, edx
            //   7f06                 | jg                  8
            //   7ce5                 | jl                  0xffffffe7
            //   85c0                 | test                eax, eax
            //   72e1                 | jb                  0xffffffe3

        $sequence_9 = { 8bd7 8d4201 8945f0 8a02 42 84c0 75f9 }
            // n = 7, score = 200
            //   8bd7                 | mov                 edx, edi
            //   8d4201               | lea                 eax, [edx + 1]
            //   8945f0               | mov                 dword ptr [ebp - 0x10], eax
            //   8a02                 | mov                 al, byte ptr [edx]
            //   42                   | inc                 edx
            //   84c0                 | test                al, al
            //   75f9                 | jne                 0xfffffffb

    condition:
        7 of them and filesize < 19405824
}

[TLP:WHITE] win_bit_rat_w0 (20200828 | String-based rule for detecting BitRAT malware payload)

rule win_bit_rat_w0 {
    meta:
        author = "KrabsOnSecurity"
        date = "2020-8-22"
        description = "String-based rule for detecting BitRAT malware payload"
        source = "https://krabsonsecurity.com/2020/08/22/bitrat-the-latest-in-copy-pasted-malware-by-incompetent-developers/"
    malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.bit_rat"
    malpedia_version = "20200828"
    malpedia_license = "CC BY-NC-SA 4.0"
    malpedia_sharing = "TLP:WHITE"
    strings:
        $tinynuke_paste1 = "TaskbarGlomLevel"
        $tinynuke_paste2 = "profiles.ini"
        $tinynuke_paste3 = "RtlCreateUserThread"
        $tinynuke_paste4 = "127.0.0.1"
        $tinynuke_paste5 = "Shell_TrayWnd"
        $tinynuke_paste6 = "cmd.exe /c start "
        $tinynuke_paste7 = "nss3.dll"
        $tinynuke_paste8 = "IsRelative="
        $tinynuke_paste9 = "-no-remote -profile "
        $tinynuke_paste10 = "AVE_MARIA"
        
        $commandline1 = "-prs" wide
        $commandline2 = "-wdkill" wide
        $commandline3 = "-uac" wide
        $commandline4 = "-fwa" wide
    condition:
        (8 of ($tinynuke_paste*)) and (3 of ($commandline*))
}

Download all Yara Rules

BitRAT Propose Change

References

Yara Rules

BitRAT