New DRAT V2 Update Enhances C2 Protocol with Shell Command Execution Capabilities

New DRAT V2 Update Enhances C2 Protocol with Shell Command Execution Capabilities

A new variant of the DRAT remote access trojan (RAT), dubbed DRAT V2, has been uncovered as part of a TAG-140 campaign targeting Indian government entities.

This threat actor, believed to overlap with SideCopy and linked to Transparent Tribe (aka APT36), demonstrates a consistent pattern of refining its malware arsenal.

TAG-140 Evolves Malware Arsenal

The latest campaign, which impersonated the Indian Ministry of Defence through a cloned press release portal, showcases a shift in malware architecture from a .NET-based DRAT to a Delphi-compiled DRAT V2, complete with an updated command-and-control (C2) protocol and enhanced post-exploitation features.

– Advertisement –

This development underscores TAG-140’s maturing tradecraft, particularly in targeting India’s defense and governmental sectors with tailored social engineering and technical sophistication.

 DRAT V2 Update
TAG-140 infection chain dropping DRAT V2

DRAT V2 introduces significant updates over its predecessor, most notably a revamped custom TCP-based, server-initiated C2 protocol that now supports both ASCII and Unicode command inputs while maintaining ASCII-only responses for streamlined communication.

A standout feature of this variant is the addition of the “exec_this_comm” command, enabling arbitrary shell command execution on compromised hosts.

According to Recorded Future Report, this capability provides TAG-140 operators with unprecedented flexibility for real-time, interactive post-exploitation tasks, ranging from system reconnaissance gathering details like usernames, OS versions, and working directories to file transfers for payload staging or data exfiltration.

Advanced C2 Protocol

Furthermore, DRAT V2 enhances its C2 obfuscation by encoding IP addresses with Base64 and prepending unique strings, a tactic designed to thwart straightforward decoding by analysts.

 DRAT V2 Update
DRAT V2 summary

Unlike the original DRAT, which relied heavily on string obfuscation, DRAT V2 prioritizes parsing reliability by keeping most command headers in plaintext, reflecting a strategic balance between stealth and operational efficiency.

The malware’s infection chain, initiated through a ClickFix-style social engineering lure spoofing the Indian Ministry of Defence, leverages the BroaderAspect .NET loader to establish persistence via registry run keys (HKCUSOFTWAREMicrosoftWindowsCurrentVersionRun) and execute the final Delphi-based payload.

Despite its advancements, DRAT V2 lacks sophisticated anti-analysis techniques, relying on basic infection and persistence methods, which makes it detectable through static and behavioral analysis when monitored for specific indicators like uncommon TCP ports (e.g., 3232, 6372, 7771) or encoded traffic patterns.

As TAG-140 continues to diversify its RAT portfolio including tools like CurlBack, SparkRAT, and AllaKore DRAT V2 represents a modular addition rather than a complete overhaul, suggesting the group will likely rotate malware variants to evade detection.

Security teams are advised to focus on monitoring spearphishing infrastructure, loader reuse, and behavioral indicators rather than specific malware signatures to maintain visibility into TAG-140’s evolving tactics.

Indicators of Compromise (IOCs)

Type Indicator
DRAT V2 SHA256 ce98542131598b7af5d8aa546efe8c33a9762fb70bff4574227ecaed7fff8802
DRAT V2 SHA256 0d68012308ea41c6327eeb73eea33f4fb657c4ee051e0d40a3ef9fc8992ed316
DRAT V2 SHA256 c73d278f7c30f8394aeb2ecbf8f646f10dcff1c617e1583c127e70c871e6f8b7
DRAT SHA256 830cd96aba6c328b1421bf64caa2b64f9e24d72c7118ff99d7ccac296e1bf13d
DRAT SHA256 c328cec5d6062f200998b7680fab4ac311eafaf805ca43c487cda43498479e60
DRAT V2 C2 185.117.90.212:7771, 154.38.175.83:3232, 178.18.248.36:6372
DRAT C2 38.242.149.89:61101

Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates


Source link