RATicate

RATicate is an unidentified threat group dubbed by researchers based on multiple related malspam campaigns observed from November 2019 through January 2020. The group delivered NSIS installers that ultimately deployed RAT and infostealer payloads. Researchers identified five distinct campaign waves with similar packing code, a consistent multi-stage loader architecture, and overlapping command-and-control infrastructure, assessing them as the work of the same actors. Observed payload families included Lokibot, Betabot, Formbook, AgentTesla, Netwire, Bladabindi, Blackrat, and Remcos. The campaigns targeted industrial companies and critical-infrastructure-related organizations in Europe, the Middle East, and the Republic of Korea, with identified targets including organizations in Romania, Kuwait, South Korea, the UK, Switzerland, and Japan. Some victim overlap was noted across campaigns. RATicate’s NSIS installers abused the NSIS System.dll plugin to load an initial malicious DLL, decrypt embedded shellcode and additional loader stages from an encrypted data file, and ultimately inject the final payload into a child process, often cmd.exe, using NtCreateSection and NtMapViewOfSection. The installers also dropped numerous unused junk files to create analysis noise. Researchers identified 38 NSIS installer samples with highly similar characteristics, including identical junk files and a consistent loader architecture. Shellcode used for final payload decryption and injection was reported as binary-identical across analyzed samples. Observed lures included banking-themed emails, and later activity believed related to the same actor used COVID-19-themed lures. The report also notes a later shift toward other loaders and packers, including Visual Basic loaders and Guloader, while maintaining some of the same payload families and C2 patterns. Known alias: RATicate.