Terminator RAT became more sophisticated in recent APT attacks

Advanced Persistent Threat (APT) is a term referring to targeted attacks on enterprises and other organizations and recently referred to what appeared to be nation-state intelligence agencies using cyber assaults for both conventional espionage and industrial espionage.


Advanced threats have targeted control systems in the past and these attacks use commercially available and custom-made advanced malware to steal information or perpetrate fraud.

Terminator RAT has been used against Tibetan and Uyghur activists before and while tracking attack against entities in Taiwan, the Cyber Security company FireEye Labs recently analyzed some new samples of 'Terminator RAT' (Remote Access Tool) that was sent via spear-phishing emails to targets in Taiwan.


A word document as an attachment was sent to victims, exploited a vulnerability in Microsoft Office (CVE-2012-0158), which subsequently drops a malware installer named “DW20.exe”.

Sometimes the simplest techniques can foil the complex systems created by security firms and large enterprises to detect malicious programs and files. Lets see - What Evasion techniques this Advance version of Terminator RAT is using:

This executable will first create its working folders located at “%UserProfile%\Microsoft” and “%AppData%\2019”, where it will store configurations and executable files (svchost_.exe and sss.exe).

Malware terminates and remove itself after installation. The malware will only run after reboot. This is one effective way to evade sandbox automatic analysis, as malicious activity will only reveal after a reboot.

The RAT (svchost_.exe) will collaborate with its relay (sss.exe) to communicate with the command and control server at liumingzhen.zapto.org / 123.51.208.69 and liumingzhen.myftp.org / 123.51.208.69.

This component plays the role as a network relay between the malware and the proxy server, by listening over port 8000.

This folder “2019” was then configured to be the new start up folder location by changing the registry “HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Startupdeter forensics investigation.” to deter forensics investigation by changing the startup location.

Also to deter file-based scanning that implements a maximum file size filter, by expanding the size of svchost_.exe to 40MB.

It is clear cybercrime is getting more organized and cybercriminals are becoming so much more sophisticated. Hackers are using stealth or advanced malware, usually to infiltrate hosts in networks and steal valuable data and APT attacks are increasingly becoming more sophisticated and harder to detect.