A remote access trojan (RAT) known as Silver RAT, developed by threat actors going by the moniker Anonymous Arabic, can run concealed apps covertly and evade security measures.
Cybersecurity company Cyfirma stated in a research released last week that “the developers operate on multiple hacker forums and social media platforms, showcasing an active and sophisticated presence.”
The actors, who are thought to be of Syrian descent and connected to the creation of the S500 RAT, also manage a Telegram channel where they provide a range of services including the selling of Facebook and X (formerly Twitter) bots, carding activities, and the distribution of cracked RATs.
When other cybercriminals use the social media bots to automatically interact with and comment on user material, they are promoting a variety of illegitimate services.
Although the threat actor’s intentions to deploy the trojan were originally announced a year earlier, Silver RAT v1.0 was first detected in the wild in November 2023. Around October 2023, it was cracked and made public on Telegram.
Using its extensive feature set, the C#-based malware may track keystrokes, erase system restore points, encrypt data using ransomware, and link to a command-and-control (C2) server. Indications suggest that an Android version is being developed as w
“While generating a payload using Silver RAT’s builder, threat actors can select various options with a payload size up to a maximum of 50kb,” the business stated. “Once connected, the victim appears on the attacker-controlled Silver RAT panel, which displays the logs from the victim based on the functionalities chosen.”
One intriguing evasion feature of Silver RAT is its ability to run programmes surreptitiously, take over the compromised host, and delay the payload’s execution by a predetermined amount of time.
An additional examination of the malware author’s digital trail indicates that one of the group’s members is most likely a Damascus resident and in their mid-20s.
“The developer […] appears supportive of Palestine based on their Telegram posts, and members associated with this group are active across various arenas, including social media, development platforms, underground forums, and Clearnet websites, suggesting their involvement in distributing various malware,” Cyfirma explained.