A sophisticated new remote access trojan known as Silver RAT v1.0 has emerged in the cyberthreat landscape, demonstrating advanced anti-virus bypass capabilities and an array of destructive functionalities targeting Windows systems.

First observed in the wild during November 2023, this C Sharp-based malware represents a concerning evolution in RAT development, offering threat actors comprehensive control over compromised systems while evading traditional security measures.

The malware originates from Syrian developers operating under the moniker “Anonymous Arabic” and has gained significant traction across underground hacking forums and social media platforms.

Silver RAT v1.0 was initially announced on October 19, 2022, through the developers’ Telegram channel before being released on various hacker forums, including TurkHackTeam and Russian underground communities.

The threat actors have established a sophisticated distribution network, creating dedicated e-commerce websites and maintaining multiple Telegram channels with over 1,000 subscribers to facilitate sales and support.

Cyfirma researchers identified that Silver RAT’s attack vectors primarily rely on social engineering tactics to deliver the malicious payload, which ranges from 40-50KB depending on selected features.

Upon execution, the malware requests administrative permissions and briefly displays a command prompt window before establishing a reverse connection to the attacker’s command and control infrastructure.

The RAT can utilize either IP addresses with specified ports or web-based HTML links for communication, providing flexibility in deployment scenarios.

The malware’s impact extends far beyond traditional remote access capabilities, incorporating destructive features such as data encryption through ransomware functionality, keylogging, browser cookie theft, and the ability to completely erase system restore points.

These capabilities enable attackers to conduct comprehensive data exfiltration while potentially rendering target systems unrecoverable through conventional restoration methods.

The developers have announced plans for a new version capable of generating both Windows and Android payloads, significantly expanding the potential threat surface.

Advanced Anti-Analysis and Detection Evasion Mechanisms

Silver RAT v1.0 employs sophisticated anti-analysis techniques designed to frustrate security researchers and evade detection by both automated and manual analysis tools.

The malware implements multiple boolean protection flags that actively monitor for debugging and analysis activities, as demonstrated in the following code structure:-

public static bool RuntimeProcessCheckerProtection = true;
public static bool RuntimeAntiDebugProtection = true;
public static bool KillDebuggerProtection = true;
public static bool KillMaliciousProcess = true;
public static bool DetectDllInjection;
public static bool RunSingleThread;

These protection mechanisms work in conjunction with an extensive blacklist called ‘BadPList’ containing 95 different process names associated with malware analysis tools.

The list includes popular debugging utilities such as “dnspy,” “x64dbg,” “ollydbg,” “ida,” “wireshark,” and “fiddler,” among others.

When any of these processes are detected running on the target system, the anti-analysis code immediately terminates the malware’s execution to prevent investigation.

The malware further enhances its stealth capabilities through Windows Defender exclusion functions that prevent detection after initial execution, hidden process installation that conceals operations within the task manager, and FUD (Fully Undetectable) crypters for antivirus bypass.

These layered defense mechanisms demonstrate the developers’ sophisticated understanding of modern security analysis techniques and their commitment to maintaining operational security for their customers in the underground marketplace forum.

Try in-depth sandbox malware analysis for your SOC team. Get ANY.RUN special offer only until May 31 -> Try Here