New Malware Targets Financial Institutions: The Rise of GodRAT
Overview of GodRAT
Recent security reports reveal a concerning escalation in cyber threats targeting financial entities such as trading and brokerage firms. A new remote access trojan (RAT), known as GodRAT, has emerged, showcasing sophisticated methods of intrusion.
The Attack Methodology
According to cybersecurity research conducted by Kaspersky, this new malware distribution strategy involves hiding malicious .SCR (screen saver) files as legitimate financial documents. These infected files are disseminated through Skype Messenger, making them difficult to detect for unsuspecting users.
As of August 12, 2025, the malicious activities associated with GodRAT were documented. The attacks employ steganography, a method where malicious shellcode is concealed within image files. This shellcode is subsequently used to download the malware from command-and-control (C2) servers. Kaspersky noted that screen saver files have been observed since September 9, 2024, particularly impacting regions like Hong Kong, the United Arab Emirates, Lebanon, Malaysia, and Jordan.
Technical Details of GodRAT
GodRAT is derived from the well-known Gh0st RAT, which has a history dating back to its public code leak in 2008. The malware employs a plugin-based methodology to enhance its capabilities, primarily focusing on collecting sensitive information and delivering secondary payloads, such as AsyncRAT. Notably, this lineage connects GodRAT to the activities of the Chinese hacking group, Winnti (also referred to as APT41).
The infected screen saver files act as self-extracting executables containing multiple embedded files. This includes a malicious Dynamic Link Library (DLL), which gets sideloaded by a legitimate executable. Within these files, shellcode is hidden, often concealed in a .JPG image. Once executed, this chain of events facilitates the deployment of GodRAT.
Functionality of GodRAT
Once installed, GodRAT establishes a TCP connection with its C2 server. It begins collecting system details, such as information about installed antivirus software, which it then sends back to the server. This initial communication enables further instructions, including:
- Injecting a received plugin DLL into the system memory
- Terminating the RAT process
- Downloading additional files from specified URLs and executing them
- Launching specific URLs via Internet Explorer
A notable plugin associated with GodRAT is the FileManager DLL. This component can carry out various file system operations, allowing it to search for and manipulate files. Additionally, it has been linked to delivering extra payloads, including password stealers targeting popular web browsers like Google Chrome and Microsoft Edge.
Source Code and Distribution
Kaspersky researchers uncovered the complete source code for the GodRAT client and builder in July 2024. This code was uploaded to the VirusTotal malware scanning service. The builder tool enables cybercriminals to create either executable files or DLLs.
The executable option presents users with an array of legitimate binaries, such as svchost.exe, cmd.exe, and others, into which malicious code can be injected. Depending on the scenario, the final payload may be saved in formats like .exe, .com, .bat, .scr, or .pif.
Implications for Cybersecurity
Kaspersky highlighted the alarming trend of utilizing legacy malware code, such as Gh0st RAT, which continues to be activated nearly two decades after its inception. These old codebases are often modified and repurposed to target new victims, indicating a significant persistence in cybersecurity threats.
The emergence of GodRAT serves as a reminder of the longevity of such legacy malware in the threat landscape. As cybercriminals continue to exploit aging codebases, it underscores the ongoing need for improved cybersecurity measures and awareness to protect sensitive financial data from malicious entities.
With evolving tactics and persistent threats, the responsibility to safeguard networks lies significantly with both institutions and individuals, who must remain vigilant against these advanced cyber threats.
