Cross-Platform Architecture
Security researchers have identified a new Java-based remote access trojan called QuimaRAT that targets Windows, Linux, and macOS systems. The malware is offered under a malware-as-a-service model with subscription prices ranging from $150 for one month to $1,200 for lifetime access. The modular architecture allows dynamic capability expansion through encrypted plugins delivered directly from command-and-control infrastructure.
The malware author provides a builder that generates multiple output formats including JAR, EXE, APP, and SH files. The seller claims complete stealth on Windows and Linux systems, while noting macOS requires user-granted permissions for certain features like screen capture.
Capabilities and Evasion Techniques
QuimaRAT uses several operating system specific methods for persistence, including Registry Run keys and scheduled tasks on Windows, autostart entries on Linux, and LaunchAgent plist files on macOS. The trojan employs a Pastebin based C2 host update mechanism that allows operators to dynamically rotate infrastructure without redistributing payloads.
The malware supports fileless shellcode execution on Windows hosts and includes a watchdog component that maintains active communication channels. Remote capabilities include command execution, credential theft, file transfer, clipboard manipulation, and webcam surveillance. The threat actor also offers complementary tools including a modular builder, browser-cache payload delivery service, and HTML/SVG payload generator that bypass SmartScreen protections.
Source: The Hacker News
