Attackers are pushing a remote access trojan they call EndClient RAT. They use a signed Microsoft Installer package that looks legitimate, so defenders often trust it. Because the installer bears a stolen certificate, Windows trust checks and SmartScreen signals can mislead users. Consequently, the campaign lands execution, gains persistence fast, and blends with normal administrative activity.
๐๐ป๐ฐ๐ถ๐ฑ๐ฒ๐ป๐ ๐ผ๐๐ฒ๐ฟ๐๐ถ๐ฒ๐
The lure pivots on a file named โStressClear.msi.โ It arrives during targeted chats and direct messages where operators guide victims to run it. The MSI was signed with a certificate issued to Chengdu Huifenghe Science and Technology Co. Ltd., which lends false legitimacy. Because the package appears trusted, users proceed. Meanwhile, antivirus coverage stays low during the first hours of a campaign, and SmartScreen prompts do not always block execution, especially when policy allows user bypass.
๐๐๐๐ฎ๐ฐ๐ธ ๐ฐ๐ต๐ฎ๐ถ๐ป: ๐๐ผ๐ฐ๐ถ๐ฎ๐น ๐ฒ๐ป๐ด๐ถ๐ป๐ฒ๐ฒ๐ฟ๐ถ๐ป๐ด โ ๐๐ถ๐ด๐ป๐ฒ๐ฑ ๐ ๐ฆ๐ โ ๐ฑ๐ฒ๐ฐ๐ผ๐ + ๐น๐ผ๐ฎ๐ฑ๐ฒ๐ฟ
Operators initiate one-to-one conversations with high-value targets and deliver the MSI. As the user runs the installer, the package performs a decoy install of WIZVERA VeraPortโs Delfino banking authentication component to reinforce trust. At the same time, it deploys a loader that hands off control to an obfuscated script. Users see something that looks like routine software setup; defenders see a trusted chain that rarely raises immediate red flags.
๐๐ผ๐ฎ๐ฑ๐ฒ๐ฟ ๐บ๐ฒ๐ฐ๐ต๐ฎ๐ป๐ถ๐๐บ: ๐๐๐๐ผ๐๐ + ๐ถ๐ป-๐บ๐ฒ๐บ๐ผ๐ฟ๐ ๐ฒ๐ ๐ฒ๐ฐ๐๐๐ถ๐ผ๐ป
The MSI drops AutoIt3.exe with a heavily obfuscated script. The script executes in memory, avoids noisy file writes, and hides behind a legitimate parent process. Static scanners struggle because the loader looks like a standard AutoIt runtime. EDR can still catch it; however, triage needs lineage and behavior, not signatures alone.
๐ฃ๐ฒ๐ฟ๐๐ถ๐๐๐ฒ๐ป๐ฐ๐ฒ ๐ฎ๐ป๐ฑ ๐ฒ๐๐ฎ๐๐ถ๐ผ๐ป
The malware establishes a scheduled task named โIoKlTr.โ It runs once per minute and points to content staged under Public\Music, a path that reduces suspicion in some environments. To prevent duplicate instances, the binary sets a global mutex with a long GUID-like value. During login, a startup link relaunches the AutoIt payload. When Avast runs on the host, the loader mutates: it pads with junk data, shifts file names, and attempts to change its static profile to slip past product-specific heuristics.
๐๐ฎ ๐ฝ๐ฟ๐ผ๐๐ผ๐ฐ๐ผ๐น ๐ฎ๐ป๐ฑ ๐ฐ๐ฎ๐ฝ๐ฎ๐ฏ๐ถ๐น๐ถ๐๐ถ๐ฒ๐
The implant opens a direct TCP socket and exchanges JSON messages. Each message includes sentinel markersโโendClient9688โ from the client and โendServer9688โ from the server. The protocol supports command execution, file retrieval, and exfiltration. Because it rides over generic TCP and mimics normal tools, simple domain-block lists rarely work. Therefore, defenders should profile beacon intervals and TLS/JA3-JA4 traits where encryption wraps the channel.
๐ช๐ต๐ผโ๐ ๐ฎ๐ ๐ฟ๐ถ๐๐ธ
Targets include civil society workers and NGOs, yet the delivery method generalizes. Any team that trusts signed MSI packages without additional checks can fall into scope. Because many organizations permit user-approved installs, and because SmartScreen can present a choice rather than a hard block, pressure and urgency in chat can defeat caution.
๐๐ฒ๐๐ฒ๐ฐ๐๐ถ๐ผ๐ป ๐ฎ๐ป๐ฑ ๐ต๐๐ป๐๐ถ๐ป๐ด
Focus on behavior. Trace MSI install chains that spawn AutoIt3.exe. Flag AutoIt that launches cmd.exe, powershell.exe, or WScript with suspicious arguments. Hunt for the IoKlTr task scheduled per minute and look for binaries in Public\Music. On the network side, measure short, periodic beacons with small JSON payloads and unusual framing. When TLS wraps traffic, compare fingerprints; steady JA3/JA4 pairs across distinct destinations can expose automation. To validate, walk process lineage from MSI to AutoIt to child shells.
๐ ๐ถ๐๐ถ๐ด๐ฎ๐๐ถ๐ผ๐ป ๐ฎ๐ป๐ฑ ๐ต๐ฎ๐ฟ๐ฑ๐ฒ๐ป๐ถ๐ป๐ด
Tighten trust first. Enforce SmartScreen blocking in policy so users cannot bypass warnings for untrusted installers. Restrict MSI execution to admins and known publishers. Where possible, revoke local trust for the stolen certificate and monitor for its issuer. Add application control rules that watch AutoIt3.exe and restrict script interpreters when launched by MSI installers. Meanwhile, map controls to your baseline and roll out changes in a limited pilot before broad enforcement.
๐ข๐ฝ๐ฒ๐ฟ๐ฎ๐๐ถ๐ผ๐ป๐ฎ๐น ๐ถ๐บ๐ฝ๐ฎ๐ฐ๐ ๐ฎ๐ป๐ฑ ๐ป๐ฒ๐ ๐ ๐๐๐ฒ๐ฝ๐
Prioritize certificate-based risk. Identify hosts that recently executed signed MSI packages from outside your software distribution flow. If AutoIt appears on endpoints that do not develop or test scripts, review those machines first. Because the C2 uses stable framing strings, craft detections for that pattern on decrypted traffic or on egress inspection points that see metadata. After containment, validate by removing the IoKlTr task, clearing startup links, and confirming the mutex no longer appears in active processes. Finally, brief users: signed โ safe.
Signed installers lower friction for attackers. EndClient RAT leans on stolen code-signing, AutoIt-backed in-memory execution, and custom JSON-over-TCP C2 to cut noise and persist. Because the chain blends with normal administration, SOC teams should tighten trust decisions, instrument MSI-to-AutoIt lineage, and enforce SmartScreen blocks that remove the userโs choice. If you treat signatures as one signalโnot a verdictโyou reduce this familyโs room to maneuver.
One thought on “EndClient RAT Targets NGOs via Signed MSI Installer”