SpankRAT Malware Exploits Windows Explorer for Stealthy Attacks
Key Takeaways A novel Remote Access Trojan, SpankRAT, is actively exploiting Windows Explorer to establish covert processes. The malware employs sophisticated evasion techniques, making traditional...
Key Takeaways
- A novel Remote Access Trojan, SpankRAT, is actively exploiting Windows Explorer to establish covert processes.
- The malware employs sophisticated evasion techniques, making traditional detection methods less effective.
- SpankRAT achieves persistence through scheduled tasks with elevated privileges and targets
explorer.exefor DLL injection. - Organizations should implement advanced behavioral detection rules and dynamic sandbox analysis to counter this threat.
SpankRAT Malware Leverages Windows Explorer for Covert Operations
A sophisticated new threat, dubbed SpankRAT, has emerged, actively exploiting the core Windows Explorer process to establish highly stealthy operations within compromised systems. This advanced Remote Access Trojan (RAT) is designed to evade conventional security measures, significantly prolonging its undetected presence and potential for damage within an environment. Its reliance on a fundamental system component like explorer.exe makes its activities particularly challenging to identify through standard monitoring. Cybersecurity teams are urged to proactively hunt for specific indicators of compromise (IoCs) across their networks to identify and mitigate this evasive threat.
Table Of Content
Technical Profile and Indicators of Compromise
SpankRAT employs several key tactics for initial compromise, persistence, and command-and-control (C2) communication. Its operational footprint includes distinct C2 server addresses and specific file names associated with its various stages.
- C2 Infrastructure: The malware communicates with C2 servers located at
45.131.214[.]132:9000, which serves as both an HTTP staging server and a WebSocket C2 endpoint. An alternative WebSocket C2 variant has been observed at166.1.144[.]109:9000. - Agent Hash: A critical identifier for the malware agent is the SHA256 hash:
f0afbbb3c80e5347191452f2f3b147627e9d1ae4d60b61d6da900a60b35eec95. - Malicious Components: Key files associated with SpankRAT include
RmmAgentCore.exe(the loader),rmm_agent.dll(the primary payload), andarc_agent.exe(a standalone variant). - Deployment Path: The malware typically drops its files into the
C:ProgramDatadirectory. - Persistence Mechanism: SpankRAT establishes persistence by creating a Scheduled Task named
RmmAgentCore, configured to trigger at logon with the highest possible privileges. - Injection Target: A hallmark of its stealth is the injection of its malicious DLL into
explorer.exe. - Development Environment: Analysis indicates the malware was built using Rust (Cargo), supporting both Windows MSVC and Linux cross-compilation. Development paths observed include
C:Usersspank.cargoand/root/.cargo.
Mitigation Recommendations
Organizations cannot rely solely on traditional signature-based antivirus solutions to detect SpankRAT. A more proactive and behavior-centric approach is essential. Security operations teams must prioritize the implementation of robust detection rules focusing on specific behaviors exhibited by this threat. This includes flagging dynamic link library (DLL) injections into the explorer.exe process, identifying the creation of unauthorized Scheduled Tasks with elevated privileges, and monitoring for outbound WebSocket connections originating from non-browser system processes.
Furthermore, vigilant monitoring of SIEM or EDR telemetry for HTTP GET requests matching the pattern */download/rmm_agent.dll* can help identify SpankLoader staging activities within the network. For organizations that have not yet adopted advanced threat detection capabilities, integrating dynamic sandbox analysis into their incident response and triage workflows is strongly recommended. This will significantly reduce the dwell time of sophisticated threats like SpankRAT by uncovering their malicious behaviors in a controlled environment before they can fully compromise production systems.
What You Should Do
- Implement behavioral detection rules to identify DLL injections into
explorer.exe. - Monitor for and alert on unauthorized Scheduled Task creation, especially those configured with elevated privileges and logon triggers.
- Configure network monitoring to detect outbound WebSocket connections from non-browser processes.
- Hunt for HTTP GET requests matching
*/download/rmm_agent.dll*in SIEM/EDR logs to identify staging activity. - Integrate dynamic sandbox analysis into your security operations to analyze suspicious files and reduce detection dwell time.
- Ensure all endpoint detection and response (EDR) solutions are up-to-date and configured for maximum visibility and threat detection.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.