Exposed Payload Generator Creates Polymorphic Banking Malware Variants for Banana RAT
Key Takeaways An exposed payload generator has been identified, actively creating polymorphic banking malware variants for the Banana RAT. The threat leverages an open directory on IP address...
Key Takeaways
- An exposed payload generator has been identified, actively creating polymorphic banking malware variants for the Banana RAT.
- The threat leverages an open directory on IP address 198[.]245[.]53[.]26, facilitating the distribution of obfuscation scripts and malware payloads.
- Two distinct branches of Banana RAT, an older and a newer version, are being propagated through this shared infrastructure.
- The malware exhibits polymorphic behavior, making it challenging for traditional signature-based detection methods.
- Defenders should prioritize blocking identified IoCs and monitoring for suspicious PowerShell activity and scheduled tasks.
A significant vulnerability has emerged in the cybersecurity landscape, revealing an exposed payload generator actively churning out polymorphic banking malware variants associated with the Banana RAT. This discovery points to an alarming level of operational oversight by the threat actors, as a public-facing directory on a server (198[.]245[.]53[.]26) has been left open, offering a direct view into their malicious toolkit.
Table Of Content
Unveiling the Exposed Infrastructure
The exposed server hosts a range of critical components used in the malware’s deployment, including the payload generator itself and various obfuscation scripts. This misconfiguration has inadvertently provided security researchers with an unprecedented look into the inner workings of the Banana RAT’s distribution and mutation mechanisms. The publicly accessible index at 198[.]245[.]53[.]26 serves as a staging ground, enabling the continuous generation of new malware iterations.
Analysis of the exposed infrastructure revealed the simultaneous operation of two distinct branches of the Banana RAT. An older, more established branch and a newer, evolving version are both utilizing this shared resource. Crucially, a consistent fallback IP address (149[.]56[.]12[.]51) embedded within the code of both branches serves as a critical link, unequivocally tying the newer variants back to the older, known malicious infrastructure. This persistent identifier has proven invaluable for tracking the malware’s evolution and understanding its operational continuity.
Polymorphism and Evasion Tactics
The Banana RAT variants generated by this exposed tool exhibit polymorphic characteristics. This means the malware can alter its code and appearance with each new instance, making it significantly harder for conventional signature-based antivirus solutions to detect. The obfuscation scripts found on the server are key to this evasive capability, allowing the threat actors to continuously modify the malware’s footprint.
The older branch of the malware was observed using a pseudo-Microsoft command and control (C2) domain, c.windowns-cdn.com, to blend in with legitimate network traffic. For persistence, this older variant drops an executable named MicrosoftEdgeUpdateCore.exe. In contrast, the newer branch employs a base apex domain, testewin.com, for its WebSocket C2 communications, utilizing hashed subdomains like 52facc3b24f8bad9c5c56819e385f3a1.testewin.com, which are resolved during detonation. The newer branch also leverages cdn.testewin.com as a fallback domain embedded within its runtime payload. Persistence for the newer branch is achieved through a VBS launcher script, c9dba5b0552d.vbs, written to the ProgramData directory.
Both branches employ PowerShell for their full payload delivery. The older branch’s full payload (SHA256: 443C0A821C214471D74B51093AB3D69BB9BEE54DCDA2551E4F12707) was observed under names like msedgeupdate.txt or msedge.txt. The newer branch utilizes a stage-2 stager (st.php.malw, SHA256: E9D918FF5F7918CFF1A3A23F3945058A66B56D6DDC7E1CAB95E166D) and a full PowerShell payload (payload_new.php.malw, SHA256: D828949ADE683CF3AC6D4260F946CA33EF8610350EE79EC75DD243B2), which was also seen as c9dba5b0552d879be654.txt when extracted from infected hosts.
Indicators of Compromise (IoCs)
The following indicators have been identified as crucial for detecting and mitigating the threat. Note: IP addresses and domains are intentionally defanged (e.g., [.] ) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
| Type | Indicator | Description |
|---|---|---|
| IP | 198[.]245[.]53[.]26 | Exposed staging server hosting payload generator and obfuscation scripts |
| IP | 149[.]56[.]12[.]51 | Fallback C2 IP shared across both older and newer Banana RAT branches |
| IP | 104[.]21.39.172 | Cloudflare edge IP resolved for newer branch WebSocket C2 domain |
| IP | 67[.]142[.]55 | Cloudflare edge IP resolved for newer branch WebSocket C2 domain |
| Domain | c.windowns-cdn.com | Pseudo-Microsoft C2 domain used by the older detonation branch |
| Domain | testewin.com | Base apex domain used for newer branch’s hashed WebSocket C2 subdomains |
| Domain | 52facc3b24f8bad9c5c56819e385f3a1.testewin.com | Host-derived C2 subdomain resolved during newer branch detonation |
| Domain | cdn.testewin.com | Fallback domain embedded in newer branch runtime payload |
| File | Fatura-BtgPactual-22568.bat | Older detonation entry sample (SHA256: BC4C29BC0C84EA18311FBADC508F6F3A9D84B54AAB34D6B42F56C0C) |
| File | msedgeupdate.txt / msedge.txt | Older branch full payload (SHA256: 443C0A821C214471D74B51093AB3D69BB9BEE54DCDA2551E4F12707) |
| File | st.php.malw | Stage-2 stager, newer branch (SHA256: E9D918FF5F7918CFF1A3A23F3945058A66B56D6DDC7E1CAB95E166D) |
| File | payload_new.php.malw | Full PowerShell payload, newer branch (SHA256: D828949ADE683CF3AC6D4260F946CA33EF8610350EE79EC75DD243B2) |
| File | c9dba5b0552d879be654.txt | Runtime payload extracted from infected host, matches payload_new.php.malw hash |
| File | c9dba5b0552d.vbs | VBS launcher script written to ProgramData for newer branch persistence |
| File | MicrosoftEdgeUpdateCore.exe | Named executable used for persistence in the older detonation branch |
What You Should Do
- Block Known IoCs: Immediately implement blocks for all identified IP addresses and domains listed as Indicators of Compromise in your firewalls, intrusion prevention systems (IPS), and web proxies.
- Monitor Network Traffic: Scrutinize network traffic for connections to the listed C2 domains and IP addresses. Pay close attention to any outbound connections that match these indicators.
- Enhance Endpoint Detection: Ensure your Endpoint Detection and Response (EDR) solutions are configured to detect and alert on suspicious PowerShell activity, especially hidden or obfuscated commands.
- Review Scheduled Tasks: Regularly audit scheduled tasks on endpoints for any newly created or modified entries with unusual names or commands that could indicate persistence mechanisms.
- Implement
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.