{
	"id": "85a80977-4d7d-411c-ae6f-68595c86e4bb",
	"created_at": "2026-04-06T00:16:07.692238Z",
	"updated_at": "2026-04-10T13:12:18.470033Z",
	"deleted_at": null,
	"sha1_hash": "24bd1e9d9c67263a2a65c017545634f004dcbfc8",
	"title": "BKDR_RARSTONE: New RAT to Watch Out For - TrendLabs Security Intelligence Blog",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 48667,
	"plain_text": "BKDR_RARSTONE: New RAT to Watch Out For - TrendLabs\r\nSecurity Intelligence Blog\r\nBy Abraham Camba (Threat Researcher)\r\nPublished: 2013-02-27 · Archived: 2026-04-05 17:04:36 UTC\r\nLast year, we reported about PlugX a breed of Remote Access Trojan (RAT) used in certain high-profile APT\r\ncampaigns. We also noted some of its noteworthy techniques, which include its capability to hide its malicious\r\ncodes by decrypting and loading a backdoor “executable file” directly into memory, without the need to drop the\r\nactual “executable file”.\r\nRecently, we uncovered a RAT using the same technique. The new sample detected by Trend Micro as\r\nBKDR_RARSTONE.A is similar (but not) PlugX, as it directly loads a backdoor “file” in memory without\r\ndropping any “file”. However, as we proceeded with our analysis, we found that BKDR_RARSTONE has some\r\ntricks of its own.\r\nWe obtained the sample through a spear phishing email that contains a specially-crafted .DOC file (detected as\r\nTROJ_ARTIEF.NTZ). This Trojan drops and executes BKDR_RARSTONE.A, which in turn drops the following\r\nfiles:\r\n%System%\\ymsgr_tray.exe – copy of BKDR_RARSTONE.A\r\n%Application Data%\\profile.dat – blob file containing malware routines\r\nBKDR_RARSTONE.A then executes the dropped copy ymsgr_tray.exe. This backdoor then opens a hidden\r\nInternet Explorer process, in which it injects the codes contained in profile.dat.\r\nAs with PlugX, the injected code decrypts itself in memory. Once decrypted it “downloads” a .DLL file from its\r\nC\u0026C server and again loads it in the memory space of the hidden Internet Explorer process. This “downloaded”\r\nfile is actually not dropped onto the system, but instead directly loaded in memory, making file-based detection\r\nineffective.\r\nTypical of a backdoor, BKDR_RARSTONE.A connects to specific sites and can perform several routines, which\r\ninclude enumerating files and directories, downloading, executing, and uploading files, and updating itself and its\r\nconfiguration.\r\nWorth noting among its backdoor routine is its ability to get installer properties from Uninstall Registry Key\r\nentries. It does this to get hold of information about the installed applications in the affected system, as well as to\r\nknow how to uninstall certain applications. This can be handy in silently uninstalling applications, which may\r\ninterfere with the backdoor’s routine, e.g. anti-malware software and the likes.\r\nAnother interesting feature of this backdoor is the communication method it uses, specifically SSL. This use of\r\nSSL has a two-fold advantage: it guarantees that communication between the C\u0026C and infected system is\r\nencrypted, at the same time it blends in with normal traffic.\r\nhttps://web.archive.org/web/20210925164035/https://blog.trendmicro.com/trendlabs-security-intelligence/bkdr_rarstone-new-rat-to-watch-out-for/\r\nPage 1 of 2\n\nIn our 2012 Security Roundup, we noted that data breaches and other targeted attacks initiated last year used\r\nseveral tools (including PlugX) to achieve stealth. This stealth enabled the attackers to remain hidden and continue\r\ntheir operations within the target network. The appearance of RATs like BKDR_RARSTONE, shows that the bad\r\nguys are continuously modifying and improving their tools.\r\nFor users and organizations to arm themselves from these attacks, they should first acknowledge that the bad guys\r\nhave certain advantages. Director for Threat Research Martin Roesler believes that such acceptance enables\r\nentities to deal with the problem properly and deploy an inside-out protection.\r\nTrend Micro users are protected by the Smart Protection Network™. In particular, file reputation service detects\r\nand deletes BKDR_RARSTONE. Web reputation and email reputation services blocks access to the said C\u0026C and\r\nrelated email respectively.\r\nTrend Micro will continue to monitor BKDR_RARSTONE’s development and investigate if there are any\r\ncampaigns behind it.\r\nSource: https://web.archive.org/web/20210925164035/https://blog.trendmicro.com/trendlabs-security-intelligence/bkdr_rarstone-new-rat-to-wa\r\ntch-out-for/\r\nhttps://web.archive.org/web/20210925164035/https://blog.trendmicro.com/trendlabs-security-intelligence/bkdr_rarstone-new-rat-to-watch-out-for/\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://web.archive.org/web/20210925164035/https://blog.trendmicro.com/trendlabs-security-intelligence/bkdr_rarstone-new-rat-to-watch-out-for/"
	],
	"report_names": [
		"bkdr_rarstone-new-rat-to-watch-out-for"
	],
	"threat_actors": [],
	"ts_created_at": 1775434567,
	"ts_updated_at": 1775826738,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/24bd1e9d9c67263a2a65c017545634f004dcbfc8.pdf",
		"text": "https://archive.orkl.eu/24bd1e9d9c67263a2a65c017545634f004dcbfc8.txt",
		"img": "https://archive.orkl.eu/24bd1e9d9c67263a2a65c017545634f004dcbfc8.jpg"
	}
}