Threat actors have launched a targeted campaign against high-profile individuals and government officials in Malaysia, leveraging malicious ISO files to deliver the Babylon RAT.
A recent investigation by Cyble Research and Intelligence Lab (CRIL) has uncovered a targeted cyberattack campaign specifically aimed at political figures and government officials in Malaysia. The attack, which has been active since July, employs malicious ISO files designed to compromise high-profile individuals and institutions.
The malicious ISO files, which contain multiple components including a shortcut file, a hidden PowerShell script, a malicious executable, and a decoy PDF file, are crafted to deceive users into thinking they are interacting with legitimate files. Once opened, the ISO files execute a chain of events that ultimately deliver the Babylon RAT, a powerful remote access Trojan (RAT) known for its surveillance and data theft capabilities.
Intelligence from Cyble Vision’s platform indicates that the threat actor behind this campaign has previously targeted Malaysian entities using Quasar RAT, another open-source RAT, suggesting a pattern of targeting high-profile individuals and institutions in the country.
Technical Analysis of the Babylon RAT Campaign
The campaign has employed at least three distinct malicious ISO files targeting Malaysian entities, each containing a lure document designed to appeal to a specific audience. The lure documents include topics such as political concerns in Malaysia and the Majlis Amanah Rakyat (MARA), a Malaysian government agency.
Upon opening the malicious ISO file, a PowerShell script is executed in the background, which then launches a decoy PDF file and copies the malicious executable to the %appdata% directory. The script also creates a registry entry to ensure the executable runs on system startup and then executes the malicious file.
The final payload, the Babylon RAT, provides the threat actor with extensive control over the victim’s machine, allowing them to capture keystrokes, monitor the clipboard, extract passwords, and execute commands remotely. The RAT also maintains persistence on infected systems, ensuring it can continue its operations even after a reboot.
About Babylon RAT
Babylon is a Remote Access Trojan designed to allow remote access and control over infected machines. It is a high-risk threat due to its multi-functional capabilities, which include gathering system information, launching DDoS attacks, stealing credentials, and more. The RAT which first surfaced on dark web forums around 2015, has been used in various phishing campaigns, targeting multiple sectors over the years. The initial infection vector used in the latest campaign is remains unclear, Cyble researchers said.
Key Features and Capabilities of Babylon RAT
- Remote Access and Control: Enables threat actors to interact with infected devices in real time.
- Information Gathering: Collects hardware details, OS version, device name, username, IP address, and more.
- Anti-detection: Has capabilities to evade detection by security tools.
- Self-spreading: Can spread through local networks.
- DDoS Attacks: Can launch Distributed Denial-of-Service attacks to disrupt services.
- Credential Stealing: Extracts usernames and passwords from various installed applications, including browsers.
- Proxy Usage: Can make the host act as a SOCKS proxy to capture network traffic from multiple infected hosts, bypassing network security measures.
The sophisticated cyberattack targeting political figures and government officials in Malaysia is a wake-up call highly-ranked individuals and institutions. The use of Babylon RAT demonstrates the advanced capabilities of these threat actors and their ability to gain unauthorized access to sensitive information.
Recommendations
Cyble’s researchers recommended the following mitigation measures to avoid such future campaigns:
- Implement advanced email filtering solutions to detect and block malicious attachments, such as ISO files.
- Deploy and regularly update endpoint security solutions to detect and mitigate threats like Babylon RAT.
- Implement continuous network monitoring and anomaly detection to identify and respond to unusual activities.
- Conduct comprehensive security awareness training for political figures and government officials to recognize and avoid phishing attempts and malicious files.
- Ensure that all systems and software are kept up to date with the latest security patches to reduce vulnerabilities that could be exploited by threat actors.