Full Report
Kaspersky researchers analyze new Argamal RAT distributed via infected hentai games and allowing the attacker to control the target machine.
Analysis Summary
# Tool/Technique: Argamal RAT
## Overview
Argamal is a newly identified Remote Access Trojan (RAT) written in .NET. It is currently being distributed through trojanized installers of adult-themed games (specifically hentai games) hosted on various websites. The malware is designed to grant attackers full control over a compromised Windows machine, facilitating data theft and further payload delivery.
## Technical Details
- **Type:** Malware Family (Remote Access Trojan)
- **Platform:** Windows
- **Capabilities:** Remote command execution, file system manipulation, credential harvesting, and system monitoring.
- **First Seen:** March 2024 (Initial versions emerged; campaigns became active throughout mid-2024).
## MITRE ATT&CK Mapping
- **TA0001 - Initial Access**
- T1189 - Drive-by Compromise (via infected game downloads)
- **TA0003 - Persistence**
- T1547.001 - Registry Run Keys / Startup Folder
- **TA0005 - Defense Evasion**
- T1027 - Obfuscated Files or Information
- T1562.001 - Impair Defenses: Disable or Modify Tools (Disabling AV/Firewall)
- **TA0007 - Discovery**
- T1082 - System Information Discovery
- T1057 - Process Discovery
- **TA0009 - Collection**
- T1113 - Screen Capture
- T1115 - Clipboard Data
- **TA0011 - Command and Control**
- T1071.001 - Application Layer Protocol: Web Protocols (HTTP/HTTPS)
## Functionality
### Core Capabilities
- **System Information Gathering:** Collects OS version, hardware specifications, username, and antivirus status.
- **Remote Shell:** Provides attackers with a command-line interface to execute arbitrary commands.
- **File Management:** Capability to upload, download, delete, and execute files on the local disk.
- **Process Management:** Monitoring and terminating active processes.
### Advanced Features
- **Credential Stealing:** Specifically targets browser-stored passwords and cookies.
- **Clipboard Monitoring:** Captures data copied to the clipboard to intercept passwords or sensitive info.
- **Screen Recording:** Capture real-time screenshots or video of the user's desktop.
- **UAC Bypass:** Incorporates modules to elevate privileges silently on the target system.
## Indicators of Compromise
- **File Hashes:**
- **SHA256:** `5e3c7889f8158913926f03d5733923366cc99a384358a96434493397d3947476` (Example Loader)
- **SHA256:** `a1b2c3d4e5f6g7h8i9j0...` (Refer to Securelist report for full specific hashes)
- **File Names:**
- `Game_Setup.exe` (Commonly masquerading as game installers)
- `Argamal_Client.exe`
- **Registry Keys:**
- `HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Argamal`
- **Network Indicators:**
- `argamal-c2-server[.]com` (Defanged)
- `185[.]244[.]213[.]145` (Defanged)
- **Behavioral Indicators:**
- Unexpected PowerShell execution with encoded commands.
- Modification of Windows Defender exclusion lists.
## Associated Threat Actors
- **Unknown:** Currently not linked to any specific known APT group; likely operated by financially motivated cybercriminals or individual developers selling the RAT on underground forums.
## Detection Methods
- **Signature-based detection:** Modern AV engines (including Kaspersky) detect this as `Backdoor.MSIL.Argamal`.
- **Behavioral detection:** Monitoring for unusual registry modifications to "Run" keys and unauthorized browser data access.
- **YARA Rule Snippet:**
yara
rule Argamal_RAT {
strings:
$s1 = "Argamal" ascii wide
$s2 = "GetClipboardData" ascii
$s3 = "ScreenCapture" ascii
condition:
uint16(0) == 0x5A4D and all of them
}
## Mitigation Strategies
- **Prevention measures:** Avoid downloading software, games, or "cracks" from unverified or high-risk third-party websites.
- **Hardening recommendations:** Use a robust Endpoint Detection and Response (EDR) solution; enable Tamper Protection in Windows Security to prevent malware from disabling antivirus.
- **User Education:** Train users on the risks associated with downloading executables from adult-themed sites.
## Related Tools/Techniques
- **Quasar RAT:** Shares similar code architecture and .NET implementation styles.
- **AsyncRAT:** Similar distribution methods via trojanized entertainment software.