EdskManager RAT: New Stealthy Malware Leverages HVNC for Covert Remote Access & Evasion
Ddos 
In its latest threat intelligence report, CYFIRMA has detailed the discovery of EdskManager RAT, a sophisticated remote access trojan (RAT) that employs stealthy communication, multi-stage execution, and advanced persistence techniques. This malware is engineered to provide long-term, covert access to infected systems, making it a serious concern for organizations and individuals alike.
βEdskManager RAT is a stealthy and adaptable remote access trojan, leveraging multiple stages of execution and encrypted payload delivery,β CYFIRMA reports. βIts use of HVNC, advanced persistence techniques, and anti-analysis measures indicates a strong focus on long-term, covert access to infected systems.β
The infection begins with a seemingly legitimate fileβWindowsFormsApp.exeβsigned with a valid (but now revoked) digital certificate. This downloader masquerades as a document viewer and initiates contact with an Amazon S3 bucket to fetch a malicious payload, which includes a valid executable, multiple DLLs, and an encrypted configuration file with a .edskv extension.
Once deployed, the executable VideoManagerEntry.exe, also signed, is used to load commonbase.dll, the main malicious payload. The .edskv file is decrypted entirely in memory, revealing another Delphi-based DLL that controls the malwareβs communication and behavior.
One of EdskManagerβs most dangerous features is its use of Hidden Virtual Network Computing (HVNC). This technique allows attackers to interact with the infected system without any visible signs on the userβs screen. The malware creates concealed windows that serve as listeners or even UI components like chat boxes that flash briefly before disappearing.
βThe primary indicator of HVNC usage is the presence of a hidden window operating invisibly on the victimβs system, featuring a text box and a send button,β the researchers explain. βThis allows an attacker to remotely control the infected machine without any visible signs of activity.β
Communication with the malwareβs command-and-control (C2) infrastructure is both stealthy and adaptable. Using the socket API and zlib-compressed messages, EdskManager contacts servers such as u[.]arpuu[.]com:3158 and attempts connections to fallback domains like kimhate[.]com:1516.
βEdskManager RAT uses the socket API to establish communicationβ¦ the initial communication message, β1|manager,β is compressed using zlib and sent to the C2 server,β CYFIRMA notes.
These communications transmit host detailsβincluding OS version, CPU info, and installed antivirusβand await further instructions in a persistent loop, often enabled through hidden windows and background listeners.
EdskManager RAT employs multiple persistence techniquesβfrom autorun registry keys to scheduled tasks and specially crafted .lnk files placed in public folders. It even manipulates Session Manager registry values to ensure launch after reboot.
The malware also performs deep reconnaissance, including the enumeration of browser extensions in Chrome, Edge, and Brave. This enables it to profile the system, look for password managers or crypto wallets, and potentially prepare for data exfiltration or targeted exploitation.
What makes EdskManager particularly resilient is its ability to adapt its infrastructure. By embedding dynamic fallback domains and using encrypted configurations, it can quickly shift communication methods or C2 addresses if compromised.
βThe malware can adapt its C2 infrastructure when needed to maintain persistence and evade detection,β the report states. βIts use of encrypted configuration filesβ¦ maintains a covert and flexible architecture.β
EdskManager demonstrates capabilities such as keylogging, clipboard monitoring, process injection, and stealth system controlβall under the radar.
βEdskManager RAT poses a serious threat to targeted environments, emphasizing the need for proactive detection and defensive strategies,β CYFIRMA concludes.
Related Posts:
- Linux Kernel 6.6: Embracing Stability with Long-Term Support
- JavaScript-Based Malware Exploits Steganography for Covert Data Theft
- Kroah-Hartman Confirms: Linux Kernel 6.12 is Now LTS
- Malicious Python Packages Exploited Gmail as Covert Command-and-Control Channels
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
