In this technical brief, Citizen Lab Senior Security Analyst Seth Hardy presents a detailed analysis of a Remote Access Trojan (RAT) that targeted organizations taking part in our study on targeted cyber threats against human rights groups. In this brief, we refer to the malware as IEXPL0RE RAT, after the name of the launcher program. It was first called “Sharky RAT” in Seth Hardy’s talk at SecTor 2011. Since then it has also been referred to as c0d0so0 and possibly Backdoor.Briba.
The IEXPL0RE RAT, gives a remote attacker the ability to record user keystrokes (including passwords), copy and delete files, download and run new programs, and even use the computer’s microphone and camera to monitor the user in real-time.
This brief includes details on detection and mitigation, removal, a list of all commands present in the malware, and a description of what data is received or sent over the network for each command.
Download the full brief here [pdf].