While continuously developing new techniques to bypass security mechanisms, cybercriminals have combined private and underground projects and brought them to update their cyber arsenal. Horus Eyes RAT (HE-RAT) is one of the latest tools used along with the recent ‘warsaw’ banking trojan circumventing security appliances, AV and EDRs during its execution.
In this article, we will learn how ‘warsaw’ works, how Horus Eyes RAT has been used by criminals in their operations, and provide general measures to protect against threats of this type.
Warsaw loader as a vehicle to deploy HE-RAT
Horus Eyes RAT has been used in relatively high-profile activities involving a new banking trojan called warsaw as a vehicle to deploy the RAT on the victims’ machines at runtime. As detailed by Segurança-Informática, “Warsaw trojan banker tries to trick victims into proceeding with the infection chain using an overlay window from a popular bank.”
Figure 1 below shows the first stage, warsaw trojan, launched as the vehicle to install a modified version of the HE-RAT on the victims’ machines as its source code is now available on GitHub, and criminals are free to change it.
Figure 1: Malicious campaign using HE-RAT to fully compromise the victims’ machines (source).