The new DRAT V2 variant raises significant concerns due to its enhanced operational capabilities, evolved targeting strategy, and improved evasion techniques, which collectively increase its threat to critical infrastructure and national security. DRAT V2 is the latest variant of the DRAT (Delphi Remote Access Trojan) malware, recently identified in a TAG-140 campaign targeting Indian government and critical infrastructure organizations. TAG-140, linked to the SideCopy subgroup and Transparent Tribe (APT36), is known for its evolving and diverse malware arsenal.
Key Technical Enhancements in DRAT V2
DRAT V2 is now Delphi-compiled, transitioning from the earlier .NET-based version. This change may help evade certain detection mechanisms and marks a technical evolution in the malware’s development.
The C2 protocol has been significantly revamped. The new server-initiated TCP protocol supports both ASCII and Unicode command inputs (responses remain ASCII-only), improving command parsing reliability and operational flexibility.
And unlike its predecessor, DRAT V2 keeps most command headers in plaintext, reducing string obfuscation. This likely prioritizes reliability in parsing commands over stealth, making C2 communications easier for the malware to manage but potentially more detectable by defenders.
Enhanced Capabilities
• Arbitrary Shell Command Execution: Introduction of the “exec_this_comm” command allows operators to execute any Windows shell command on the victim system and receive the output, greatly enhancing post-exploitation options.
• File Transfers: DRAT V2 enables two-way file transfers, allowing attackers to upload additional payloads or exfiltrate data from compromised machines.
• System Reconnaissance: The malware collects system details such as username, OS version, system time, and current directory, and can enumerate file systems and directories.
• Obfuscation of C2 Infrastructure: C2 IP addresses are now obfuscated using Base64 encoding with prepended strings, complicating straightforward detection and analysis by defenders.
• Persistence Mechanism: The infection chain typically starts with a social engineering lure (often spoofing the Indian Ministry of Defence), leading to the execution of a .NET loader (“BroaderAspect”) that establishes persistence via registry run keys and deploys the final DRAT V2 payload.
• Detection: Despite these enhancements, DRAT V2 lacks advanced anti-analysis features and relies on basic infection and persistence methods. This makes it susceptible to detection via static and behavioral analysis, especially when monitoring for uncommon TCP ports (e.g., 3232, 6372, 7771) or encoded traffic patterns.
Summary Table: DRAT V2 vs Previous Version
| Feature | Previous DRAT (.NET) | DRAT V2 (Delphi) |
|---|---|---|
| Compilation Language | .NET | Delphi |
| C2 Protocol | Custom TCP, ASCII | Custom TCP, ASCII & Unicode |
| Command Headers | Heavily obfuscated | Mostly plaintext |
| Shell Command Execution | Limited | Arbitrary via “exec_this_comm” |
| File Transfer | Supported | Enhanced, bi-directional |
| C2 IP Obfuscation | Basic | Base64 + prepended strings |
| Anti-analysis Techniques | Minimal | Minimal |
| Infection Chain | Social engineering, BroaderAspect loader | Similar, with registry persistence |
| Target Sectors | Varied | Indian government, defense |
Threat Context
The emergence of DRAT V2 signals a maturing threat landscape, with TAG-140 demonstrating increased technical sophistication and adaptability. The malware’s modular design and rotation among RATs (including CurlBack, SparkRAT, AllaKore, and others) suggest ongoing efforts to evade detection and maintain persistent access to high-value targets.
