BitRAT Disguised as Officer Installer Being Distributed

The ASEC analysis team previously uploaded a post about BitRAT that was distributed under the disguise of Windows OS license verification tool. The BitRAT is now being distributed as Office Installer with different files, preying upon potential victims.

The following image shows a post that contains the malware. It is titled, [New][Cheap]Office 2021 Installer + Permanent License Verification.

Figure 1. Post disguised as download of Windows license verification tool – 1
Figure 2. Post disguised as download of Windows license verification tool – 2

The downloaded file is a compressed file named ‘’, just like the one introduced in the previous blog post (see Figure 3 and Figure 4). As per the post description, the password of this compressed file is ‘1234’. The compressed file contains Office installer named ‘OInstall.exe’.

Figure 3. Downloaded compressed file
Figure 4. Files included in the compressed file

The pop-up the victim gets is that of the Office downloader (see Figure 5), but the actual downloader installs it in the startup folder (see Figure 6). Normally, the first file that is installed is a downloader of the same kind, and the downloader run this way ultimately installs BitRAT into the path %TEMP% as ‘Software_Reporter_Tool.exe’.

Figure 5. Office downloader pop-up the victims get
Figure 6. Actual malware (BitRAT downloader) secretly downloaded

The following lists features of BitRAT.

1. Network Communication Method
– Encrypted communication using TLS 1.2
– Communication using Tor

2. Basic Control
– Process manager
– Service manager
– File manager
– Windows manager
– Software manager

3. Information Theft
– Keylogging
– Clipboard logging
– Webcam logging
– Audio logging
– Application (e.g. Web browsers) account credential theft

4. Remote Control
– Remote desktop
– hVNC (Hidden Desktop)

5. Proxy
– SOCKS5 Proxy: port forwarding feature using UPnP
– Reverse Proxy: SOCKS4 Proxy

6. Coin Mining
– XMRig CoinMiner

7. etc.
– DDoS attack
– UAC Bypass
– Windows Defender deactivation

As shown in the examples above, the malware is being distributed actively via file-sharing websites such as Korean webhards. As such, caution is advised when running executables downloaded from a file-sharing website. It is recommended for the users to download products from the official websites of developers.

AhnLab’s anti-malware software, V3, detects and blocks the malware above using the aliases below.

[File Detection]
– Downloader/Win.BitRAT.C5018635 (2022.03.22.03)
– Downloader/Win.BitRAT.R479001 (2022.03.22.03)
– Backdoor/Win.BitRAT.C5023733 (2022.03.22.03)

[Behavior Detection]
– Malware/MDP.Download.M1197

Downloader malware MD5



Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.

0 0 votes
Article Rating
Inline Feedbacks
View all comments