Atroposia Malware Now Scans for Local Vulnerabilities
▼ Summary
– Atroposia is a malware-as-a-service platform offering a remote access trojan with capabilities for persistent access, evasion, data theft, and local vulnerability scanning for a $200 monthly subscription.
– The malware includes a hidden remote desktop module that operates covertly in the background, allowing attackers to interact with a user’s session undetected by standard monitoring tools.
– It features a file manager and grabber component that can browse, copy, delete, execute files, and exfiltrate data using in-memory techniques to minimize traces.
– Atroposia contains a stealer module targeting saved logins, crypto wallets, and chat files, plus a clipboard manager that captures real-time copied data like passwords and wallet addresses.
– The malware can perform DNS hijacking to redirect victims to rogue servers and includes a built-in vulnerability scanner to identify missing patches and insecure settings for further exploitation.
A newly identified malware-as-a-service platform called Atroposia is now arming cybercriminals with a powerful remote access trojan that integrates persistent access, stealth mechanisms, data theft, and a local vulnerability scanner. For a monthly fee of $200, subscribers gain access to a suite of advanced features, including hidden remote desktop control, file system manipulation, data exfiltration, clipboard monitoring, credential harvesting, cryptocurrency wallet theft, and DNS hijacking capabilities. Security experts from Varonis uncovered the toolkit, highlighting its role as a user-friendly, affordable “plug and play” solution for malicious actors.
Atroposia operates as a modular RAT, communicating with its command-and-control servers through encrypted connections. It can bypass Windows User Account Control protections to elevate its privileges on compromised systems. The malware is designed to maintain persistent and stealthy access to infected hosts, making detection difficult for conventional monitoring tools.
Key functionalities of the Atroposia RAT include an HRDP Connect module that launches a hidden remote desktop session in the background. This allows attackers to open applications, review documents and emails, and interact with the user’s session without any visible signs of intrusion. An Explorer-style file manager enables remote browsing, copying, deletion, and execution of files. A grabber component searches for specific files by extension or keyword, compresses them into password-protected ZIP archives, and exfiltrates the data using in-memory methods to avoid leaving traces.
A dedicated stealer module targets saved login credentials, cryptocurrency wallets, and chat application files. Simultaneously, a clipboard manager captures everything a user copies in real time, such as passwords, API keys, and wallet addresses, and provides the attacker with a complete history. A host-level DNS hijacking module reroutes domain requests to attacker-controlled IP addresses, silently directing victims to malicious servers. This enables phishing attacks, man-in-the-middle interceptions, fake software updates, ad or malware injections, and DNS-based data exfiltration.
The built-in local vulnerability scanner represents a significant escalation in capability, auditing systems for missing patches, unsafe configurations, and outdated software. It returns a risk score to help attackers prioritize which exploits to deploy. Researchers emphasize that this feature is particularly dangerous in corporate settings, where the malware could identify an outdated VPN client or an unpatched privilege escalation vulnerability, providing a pathway for deeper network penetration. The scanner may also be used to locate and target nearby vulnerable systems.
The arrival of Atroposia provides cybercriminals with another accessible MaaS option, reducing the technical expertise required to launch effective attacks. To defend against such threats, users should obtain software exclusively from official and reputable sources, avoid pirated software and torrents, disregard promoted search results, and refrain from executing unfamiliar commands discovered online.
(Source: Bleeping Computer)
