SYMBOLCOMMON_NAMEaka. SYNONYMS
win.kaolin_rat (Back to overview)

Kaolin RAT

aka: KaolinTea

Actor(s): Lazarus Group

Kaolin RAT is a complex modular RAT, with Release_TMain_x64.dll as its internal DLL name.

The malware provides standard backdoor functionality, including manipulation and listing of files and processes, exchanging the configuration, collecting the victim’s system info, opening a TCP connection, and executing local commands and collecting their outputs.

Also, it is designed to execute additional DLL payloads in memory via specific exported functions:
- _DoMyFunc,
- _DoMyFunc2,
- _DoMyThread,
- _DoMyCommandWork.

Functionally, Kaolin RAT relies on an accompanying trojanized curl library to handle network and exfiltration operations, by importing functions such as:
- SendDataFromURL,
- ZipFolder,
- UnzipStr,
- curl wrappers.

For C&C communication, it employs AES encryption and attempts to evade network detection by randomly selecting words from a hardcoded custom dictionary to populate POST request parameters. The malware's name is derived from one of these dictionary words ("kaolin").

The Kaolin RAT has been observed in Lazarus campaigns as a late-stage payload — typically following loaders like RollFling, RollSling, and RollMid — and serves also as a delivery vector for the FudModule rootkit with a 0-day exploit.

References
2024-04-18AvastLuigino Camastra
From BYOVD to a 0-day: Unveiling Advanced Exploits in Cyber Recruiting Scams
FudModule Kaolin RAT

There is no Yara-Signature yet.