Drive-By Infections Lead to IDAT Loader And SecTop RAT Payloads

The IDAT Loader a malware loader that searches PNG files to retrieve payload instructions is being linked to financially motivated groups and has typically been distributed via FakeUpdates. A recent incident saw it being deployed alongside the BruteRatel C4 framework following opportunistic infections obtained through malvertising and drive-by downloads. The malware is triggered by downloading an application which leads to the IDAT Loader execution that kicks off a series of events such as the binary analyzing the environment to evade analysis decrypting URLs downloading encoded data and executes further payloads. The IDAT Loader communicates with specified IP addresses and post-exploitation executes another version of IDAT Loader and drops a legitimate executable Rvm.exe. The loader proceeds to load tampered DLLs that contain IDAT Loader code before the final payload SecTop RAT is deployed.