LimeRAT Remote Access Trojan

LimeRAT is a highly modular, open-source remote access trojan featuring an easy to use configuration and control interface.

Threat ID:: CC-2968
Category:: Trojan
Threat Severity:: Medium
Threat Vector:: Email spam
Published:: 11 March 2019 12:00 AM

Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

LimeRAT is a highly modular, open-source remote access trojan featuring an easy to use configuration and control interface.

Affected platforms

The following platforms are known to be affected:

Microsoft Windows

Microsoft Windows - All versions

Threat details

It has undergone several feature improvements as a result of its open-source nature, and its accessibility has made it a popular choice with less skilled attackers.

Whilst LimeRAT has currently only been observed being delivered via phishing campaign, its open-source nature means other distribution methods may be easily used in future campaigns.

Once the payload has been delivered to a user, LimeRAT connects to a command and control server before sending information about the operating system and hardware of the affected system. Using the control interface, the attacker can then choose its behaviour based upon the options built into the payload. At present, the following functionality has been observed:

Download and execution of additional files.
Encryption of user files.
Deployment of a Monero cryptocurrency miner.
Enabling Remote Desktop Protocol.
Stealing information, including simple keylogging.
Spreading to other machines by replacing files on USB devices and overwriting shortcut paths of pinned task bar applications.

Update 17 Apr 2019

A new LimeRAT infection chain has been observed utilising a LNK file to deliver its payload. It uses several techniques to evade detection and maintain persistence.

Remediation steps

Type	Step
	To prevent and detect a trojan infection, ensure that: A robust program of education and awareness training is delivered to users to ensure they don’t open attachments or follow links within unsolicited emails. All operating systems, anti-virus and other security products are kept up-to-date. Regular anti-virus and security scans are performed on your organisation’s estate. All day-to-day computer activities such as email and internet are performed using non-administrative accounts. Strong password policies are in place. Network, proxy and firewall logs should be monitored for suspicious activity. User accounts accessed from affected devices should be reset on a clean computer. Your organisation adopts a holistic all-round approach to Cyber Security as advocated by the 10 Steps to Cyber Security.

Type

Step

To prevent and detect a trojan infection, ensure that:

A robust program of education and awareness training is delivered to users to ensure they don’t open attachments or follow links within unsolicited emails.
All operating systems, anti-virus and other security products are kept up-to-date.
Regular anti-virus and security scans are performed on your organisation’s estate.
All day-to-day computer activities such as email and internet are performed using non-administrative accounts.
Strong password policies are in place.
Network, proxy and firewall logs should be monitored for suspicious activity.
User accounts accessed from affected devices should be reset on a clean computer.
Your organisation adopts a holistic all-round approach to Cyber Security as advocated by the 10 Steps to Cyber Security.

Last edited: 14 February 2020 2:47 pm