Cyfirma researchers observed threat actors called ‘Anonymous Arabic’ distributing a C# remote access trojan called Silver RAT. The malware supports multiple capabilities, including bypassing anti-viruses and covertly launching hidden applications, browsers, and keyloggers.
The hacker group is active on multiple hacker forums (XSS, Darkforum, TurkHackTeam, and others) and runs a Telegram channel offering a range of services including the distribution of cracked RATs, leaked databases, carding activities, and the sale of social media bots. Another malware developed by the same group is called S500 RAT.
The current version of the RAT, Silver RAT v1.0, is a Windows-based threat, but experts believe that the developers are going to launch also an Android variant. Silver RAT v1.0 also supports destructive features such as data encryption using ransomware, and functions to destroy system restore points.
“The developer of Silver RAT is, known as ‘noradlb1,’ and is active on prominent hacking forums like XSS, Darkforum, TurkHackTeam, and others, with an arguably respected reputation.” reads the analysis published by Cyfirma. “The RAT first appeared on their Telegram channel and later on Turkhackteam and 1877 forums. Silver RAT was cracked and leaked on Telegram around October, 2023, and now users on Telegram and GitHub are sharing cracked versions of Silver RAT v1.0 to users without the means to purchase RATs (however there is evidence from user conversations that this may not be as effective as other well-known RATs like xworm).”
CYFIRMA reported that the group has been using a well-known Crypto wallet and employ multiple addresses for transactions to manage different crypto currencies (Bitcoin, Ethereum and USDT (Tether)).
The Bitcoin wallet was empty at the time of the analysis, but experts recorded approximately 2,275.67 USD of transactions between December 24,2023 and December 25,2023 period.
During the investigation, the researchers discovered a Facebook account of a hacktivist group that supports the “Syrian Revolution”, with post engagement from a developer of Silver RAT.
Further evidence suggests that the developer of the Silver RAT began hacking as a teen, is likely in his mid-twenties, and resides in Damascus, Syria.
“The developer, operating under the name “Anonymous Arabic,” appears is supportive of Palestine based on their Telegram posts, and members associated with this group are active across various arenas, including social media, development platforms, underground forums, and Clearnet websites, suggesting their involvement in distributing various malware.”Cyfirma conlcudes. “It is crucial for organizations to enhance their defense mechanisms in response to this potential threat.”
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Swiss Air Force)