Posted in

SpankRAT Malware: Exploiting Explorer.exe for Stealth

by Rakesh0

Modern malware doesn’t just hide—it impersonates trust.

A newly discovered threat, SpankRAT malware, is taking stealth to another level by injecting itself into Windows Explorer (explorer.exe) to mask malicious activity as legitimate system behavior.

For SOC teams and security leaders, this is a critical wake-up call:
👉 When attackers operate inside trusted processes, traditional detection models start to fail.

In this deep dive, you’ll learn:

  • How SpankRAT works across its full attack chain
  • Why explorer.exe injection is so dangerous
  • The limitations of signature-based detection
  • Practical detection and mitigation strategies

What Is SpankRAT Malware?

SpankRAT malware is a Rust-based Remote Access Trojan (RAT) toolkit designed for stealth, persistence, and full system control.

Key Characteristics

  • Built in Rust (cross-platform capable)
  • Uses DLL injection into explorer.exe
  • Routes C2 traffic through trusted processes
  • Evades detection on platforms like VirusTotal
  • Maintains persistence via scheduled tasks

Why This Threat Is So Dangerous

Trusted Process Abuse

By injecting into explorer.exe, SpankRAT:

  • Makes malicious traffic appear legitimate
  • Bypasses reputation-based detection systems
  • Reduces alert prioritization in SOC workflows

Low Detection Rates

  • Many samples remain undetected by antivirus engines
  • Signature-based tools fail to identify behavior

Full System Control

Attackers gain:

  • Remote command execution
  • File system access
  • Registry manipulation
  • Process and service control

How the SpankRAT Attack Works

1. Initial Stage: SpankLoader

The attack begins with SpankLoader, a lightweight loader.

Key Actions:

  • Downloads payload via HTTP
  • Escalates privileges using SeDebugPrivilege
  • Drops malicious DLL:
    • C:\ProgramData\rmm_agent.dll

2. DLL Injection into explorer.exe

SpankLoader injects the payload into:

  • explorer.exe (Windows Explorer)

Why This Matters:

  • Explorer is always running
  • Highly trusted system process
  • Network activity appears legitimate

3. Persistence via Scheduled Task

Creates:

  • Task Name: RmmAgentCore
  • Trigger: User logon
  • Privilege: Highest

4. C2 Communication via WebSockets

SpankRAT connects to:

  • ws://<C2>:9000/ws/agent

Features:

  • JSON-based communication
  • Real-time command execution
  • Persistent connection channel

5. Full Remote Control Capabilities

SpankRAT supports 18 command types, including:

System Control

  • Execute commands (PowerShell)
  • Elevate privileges

File Operations

  • Upload/download files
  • Delete or rename files

Process Management

  • List and kill processes
  • Monitor system activity

Registry Access

  • Read/write/delete keys

Scheduled Tasks

  • Create and manage tasks

Software Enumeration

  • Identify installed applications

Advanced Techniques Used

1. PowerShell Abuse

All operations executed with:

  • -NoProfile
  • -NonInteractive
  • -ExecutionPolicy Bypass

2. Process Masquerading

  • Uses legitimate process identity
  • Hides malicious network activity

3. WebSocket-Based C2

  • Persistent communication channel
  • Harder to detect than traditional HTTP

4. Rust-Based Development

  • Cross-platform potential
  • Low detection signatures
  • Increasing trend in modern malware

Indicators of Compromise (IOCs)

Network Indicators

  • 45.131.214[.]132:9000
  • 166.1.144[.]109:9000

File Indicators

  • RmmAgentCore.exe
  • rmm_agent.dll
  • arc_agent.exe

Behavioral Indicators

  • DLL injection into explorer.exe
  • Scheduled task creation (RmmAgentCore)
  • WebSocket connections from system processes
  • PowerShell execution with bypass flags

Why Traditional Detection Fails

1. Signature-Based Limitations

  • No known malware signatures
  • Obfuscated payloads

2. Reputation-Based Blind Spots

  • Traffic appears from trusted binaries
  • Low suspicion scoring

3. Lack of Behavioral Visibility

  • No monitoring of process injection
  • No correlation of system anomalies

Best Practices to Detect and Mitigate SpankRAT

1. Monitor Process Injection Activity

  • Detect DLL injection into:
    • explorer.exe
  • Use EDR with memory analysis

2. Track Scheduled Task Creation

Alert on:

  • Tasks with:
    • High privileges
    • Logon triggers
    • Unknown executables

3. Inspect WebSocket Traffic

  • Identify unusual outbound connections
  • Monitor non-browser processes using WebSockets

4. Strengthen PowerShell Monitoring

Look for:

  • ExecutionPolicy bypass
  • Non-interactive execution
  • Suspicious command chains

5. Deploy Behavioral Detection Tools

Use:

  • EDR/XDR platforms
  • Sandbox environments (e.g., dynamic analysis)

6. Enhance Threat Hunting

Search for:

  • HTTP requests to:
    • */download/rmm_agent.dll*
  • Abnormal process-parent relationships

7. Apply Zero Trust Principles

  • Verify all process behavior
  • Limit privilege escalation
  • Enforce least privilege

Framework Alignment

MITRE ATT&CK

TechniqueID
Process InjectionT1055
Command ExecutionT1059
Persistence via Scheduled TasksT1053
WebSocket C2T1071

NIST Cybersecurity Framework

  • Detect: Behavioral anomaly detection
  • Protect: Privilege control
  • Respond: Incident investigation

ISO 27001

  • A.12 – Monitoring and logging
  • A.9 – Access control
  • A.16 – Incident response

Expert Insight: The Rise of “Trusted Process Attacks”

SpankRAT represents a broader shift:

Attackers no longer need to hide—they just need to look legitimate.

Strategic Implications

  • Trusted processes are now primary attack surfaces
  • Behavioral detection is no longer optional
  • SOC teams must prioritize context over signatures

FAQs

1. What is SpankRAT malware?

A stealthy Remote Access Trojan that injects into explorer.exe to evade detection and maintain control.

2. Why is explorer.exe targeted?

Because it’s a trusted Windows process, making malicious activity appear legitimate.

3. How does SpankRAT persist?

By creating a scheduled task that runs at user logon with elevated privileges.

4. Why is it hard to detect?

It uses legitimate processes, WebSocket communication, and avoids writing suspicious files.

5. How can organizations detect it?

Through behavioral monitoring, process injection detection, and network traffic analysis.

6. What makes Rust-based malware significant?

Rust binaries often evade traditional detection due to unique compilation patterns and lower signature visibility.

Conclusion

SpankRAT malware is a clear example of how attackers are evolving toward stealth, persistence, and legitimacy.

By abusing:

  • Trusted Windows processes
  • Fileless techniques
  • Advanced communication channels

it significantly reduces detection visibility and increases dwell time.

Key Takeaways

  • Trusted processes are no longer trustworthy by default
  • Behavioral detection is critical
  • SOC visibility must extend into memory and process activity

Organizations must adapt quickly—because the next generation of threats won’t look malicious at all.

Subscribe

Leave a Reply

Your email address will not be published. Required fields are marked *