A threat actor operating under the name Anonymous Arabs has released a remote access Trojan (RAT) called ermine It can bypass security software and secretly launch hidden applications.
“The developers operated on multiple hacking forums and social media platforms, demonstrating an active and sophisticated presence,” cybersecurity firm Cyfirma said in a report released last week.
According to the assessment, these actors are from Syria and are related to the development of another RAT called S500 RAT. They also operate a Telegram channel that provides various services such as distribution of cracked RATs, leaked databases, carding activities, and sales of Facebook and X (formerly Twitter) bot.
Other cybercriminals then use social media bots to promote various illegal services by automating participation in and commenting on user content.
Detections of Silver RAT v1.0 were first observed in the wild in November 2023, although the threat actors’ plans to release the Trojan were first officially announced a year ago. It was hacked and leaked on Telegram around October 2023.
This C#-based malware has a wide range of capabilities and can connect to command and control (C2) servers, log keystrokes, compromise system restore points, and even encrypt data using ransomware. There are also signs that an Android version is in the works.
“Threat actors can choose from a variety of options when using Silver RAT’s builder to generate payloads, with payload sizes up to 50kb,” the company noted. “Once connected, the victim appears in an attacker-controlled Silver RAT panel that displays the victim’s logs based on the selected feature.”
An interesting evasion feature built into the Silver RAT is its ability to delay the execution of the payload for a specific amount of time, as well as covertly launch the application and take control of the compromised host.
Further analysis of the malware author’s online footprint indicates that a member of the group may be in his 20s and reside in Damascus.
“Developer […] Based on their Telegram posts, the group appears to be pro-Palestinian, and members associated with the group are active in various areas, including social media, development platforms, underground forums and the Clearnet website, suggesting they are involved in distributing various malware,” Cyfirma said .
