Recent Campaign Delivering Python-Based RAT:SwaetRAT
PT FPT Metrodata Indonesia (FMI) is a joint venture between FPT IS and Metrodata Electronics, focusing on providing Cybersecurity-as-a-Service—including SOC, managed security, professional services, consulting, and threat intelligence—to support Indonesia’s rapidly growing digital economy. FMI is expanding into AI and cloud GPU services to deliver innovative protection and solutions for enterprises. Learn more at https://fmisec.com.
Summary
Researchers discovered a new Remote Access Trojan (RAT) called "Swaet RAT," delivered via Python. It exhibits intriguing behavior and has low detection rates, specifically targeting Microsoft Windows hosts.
A Python script has been discovered that interacts with the Windows operating system at a low level, utilizing libraries such as System.Reflection, ctypes, and wintypes to directly call Windows APIs. This gives the script the ability to manipulate system processes, allowing it to potentially load harmful payloads, change system configurations, and evade security controls. Although the script has a low detection rate on Virustotal, it still requires thorough examination because of its potential to carry out malicious actions.
The script modifies key Windows APIs like AmsiScanBuffer and EtwEventWrite by altering the initial bytes of these functions with custom code. On 64-bit systems, the modification to EtwEventWrite uses four bytes (0x48, 0x33, 0xc0, 0xc3), while on 32-bit systems, it employs five bytes (0x33, 0xc0, 0xc2, 0x14, 0x00). This alteration prevents these APIs from functioning as intended, allowing the script to bypass critical security systems like the Antimalware Scan Interface (AMSI) and Event Tracing for Windows (ETW), which are normally used to detect and log malicious actions.
After decoding a Base64-encoded string, the script loads a .NET assembly through the Assembly.Load method from the System.Reflection library. It then creates an instance of the class defined by the EntryPoint property of the assembly and invokes the Invoke method, triggering the assembly's entry point. This behavior suggests the script is crafted to execute additional malicious payloads as part of a larger attack chain.
The payload is identified as a Portable Executable (PE) file, recognized by the "MZ" signature at its start, a common header for Windows executables. The base64dump.py tool shows that the first 16 bytes of the payload contain the string “GetModuleHandleA,” which is often used in Windows DLLs. Further analysis confirms that the file is a PE32+ executable, marking it as a 64-bit .NET assembly. When executed, the malware copies itself to an obfuscated location, checks if it is running from there, and, if successful, proceeds to extract the next-stage payload. It also ensures persistence by adding a registry key and creating a shortcut in the startup folder. The subsequent phase involves a .NET binary that employs reflection techniques to bypass security measures, decoding a hex string to reveal and deploy the final SwaetRAT payload, further advancing the attack.
Technical Detail
The script employs live patching techniques for specific API calls to conceal its activities. A common target is AmsiScanBuffer(), which it patches to bypass AMSI detection. Additionally, it modifies EtwEventWrite() to block the generation of events, further obfuscating its actions.
Code snippet demonstrating the patching of AmsiScanBuffer() and EtwEventWrite() API calls (source: isc.sans)
In both cases, the script overwrites the initial bytes of the targeted API calls to return a predefined value, effectively neutralizing their functionality.
The script then decodes, loads, and executes the next stage. The image below illustrates the code responsible for loading the decoded value.
Code snippet for loading the next stage (source: isc.sans)
The loaded executable is a .NET binary. It first copies itself to "%LOCALAPPDATA%\Microsoft_OneDrive.exe" and verifies if it is running from this directory. If so, it extracts the next stage. Additionally, it creates the directory "%LOCALAPPDATA%\Xbox" and establishes persistence through a registry key and a shortcut file in the Startup folder.
Creating persistence (source: isc.sans)
Finally, the next payload is decoded: it is the SwaetRAT itself. This is another .NET binary, unobfuscated, and the string directly exposes the RAT's capabilities during disassembly. The RAT is capable of monitoring specific keywords, such as PayPal and Binance, exfiltrating sensitive data, and retrieving additional payloads through various commands.
RAT Configuration strings (source: isc.sans)
Based on a similar sample discovered in another campaign, it determines the actions the RAT should perform. Several commands are processed:
"PONG": gets a "pong" response back from the server from "ping" messages. Possibly used for connection status cheking.
"sendfile": Executes RunDisk method, which writes and executes a PowerSheall file from received data.
"Memory": Execcutes the Memory method, which loads and executes an assembly from the given byte array in memory.
"Web": Downloads a file from a URL and executes it.
"Close": Disconnects the TCP socket and exits the application.
"Restart": Restarts the application.
"Uninstall": Uninstall the RAT via the batch script
"$Cap": Captures a screenshot and send it back to the server in a base64-encoeded and GZIP-compressed format.
"RemoteDesktop": Sends back the screen sixe information.
"RD+": Captures live screen data.
"DeskDrop": Writes a file to the desktop from received data that is base64- encoded and GZIP-compressed.
"UAC": Attempts to elevate privileges if not running as administrator
"OfflineGet": Sends the content of a log file to the server.
Recommendations
We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:
● Use a reputed anti-virus and internet security software package on your connected devices, including PC, laptop, and mobile.
● Consider limiting the execution of scripting languages on user workstations and servers if they are not essential for legitimate purposes.
● Monitor the beacon on the network level to block data exfiltration by malware or TAs.
Conclusion
The SwaetRAT demonstrates sophisticated techniques for evading detection and maintaining persistence on compromised systems. It effectively hides its activities by leveraging live patching to obscure API calls, decoding and loading payloads, and employing obfuscation through file manipulation and registry modifications. A detailed analysis of its behavior reveals its ability to target specific system components and execute commands, making it a potent threat to Windows environments.
