New GodRAT Malware Uses Screensaver and Program Files to Target Organizations

Threat actors have been deploying a novel Remote Access Trojan (RAT) dubbed GodRAT, derived from the venerable Gh0st RAT codebase, to infiltrate financial institutions, particularly trading and brokerage firms.

The malware is distributed via Skype as malicious .scr (screensaver) and .pif (Program Information File) executables masquerading as legitimate financial documents, such as client lists or transaction data.

This tactic exploits user trust in seemingly innocuous file types, enabling initial access.

Evolution of Gh0st RAT

GodRAT represents an evolution of the AwesomePuppet backdoor reported in 2023, sharing code similarities and distribution methods, and is likely linked to the Winnti APT group.

Attackers employ steganography to conceal shellcode within image files, which then downloads the RAT from a Command-and-Control (C2) server.

Once deployed, GodRAT facilitates plugin-based extensions, with the FileManager plugin used to reconnaissance victim systems and deploy secondary payloads like browser password stealers and AsyncRAT for persistent access.

The campaign remains active as of August 12, 2025, with detections spanning Hong Kong, the United Arab Emirates, Lebanon, Malaysia, and Jordan, highlighting a targeted focus on Middle Eastern and Asian financial entities.

The technical implementation of GodRAT is intricate, beginning with shellcode loaders that inject malicious code into legitimate processes.

One loader variant XOR-decodes embedded shellcode using a hardcoded key like “OSEDBIU#IUSBDGKJS@SIHUDVNSO*SKJBKSDS#SFDBNXFCB” and executes it in a new memory section.

Targets Financial Sector

Another self-extracting executable embeds files, including a signed SDL2.dll loader (MD5: 512778f0de31fcce281d87f00affa4a8) that extracts shellcode from JPG images depicting financial details, injecting it via Valve.exe, a legitimate binary signed with an expired DigiCert certificate.

According to Kaspersky report, the shellcode searches for “godinfo” strings, decodes C2 configurations with XOR key 0x63, and fetches a second-stage payload containing a UPX-packed GodRAT DLL (internal name: ONLINE.dll).

This DLL exports a “run” function that checks command-line arguments, often injecting into processes like curl.exe or cmd.exe using the “-Puppet” parameter a nod to its AwesomePuppet heritage.

GodRAT collects system intel, including OS details, hostname, PID, user accounts, and AV presence, compressing data with zlib and triple XOR-encoding before C2 transmission.

Supported commands include plugin injection (e.g., FileManager for drive enumeration, file operations, and 7-Zip execution), process creation on default desktops, and URL openings via Internet Explorer.

Secondary implants amplify the threat: Chrome and MS Edge password stealers (MD5s: 31385291c01bb25d635d098f91708905 and cdd5c08b43238c47087a5d914d61c943) extract credentials from SQLite databases and Local State files, saving them as plain text.

AsyncRAT injectors (e.g., MD5: 605f25606bb925d61ccc47f0150db674) decode and inject C# binaries after patching AMSI and ETW functions for evasion.

Source code analysis reveals GodRAT’s direct descent from Gh0st RAT, with builders allowing customization into executables like svchost.exe or file types such as .scr/.pif.

Differences from AwesomePuppet include enhanced C2 packet handling with a “direction” field, underscoring iterative improvements in legacy malware.

This persistence of Gh0st-derived tools, nearly two decades old, underscores the enduring appeal of customizable implants for APT operations, urging organizations to monitor anomalous Skype deliveries, unusual process injections, and C2 communications.

Indicators of Compromise

Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates!