RAT
Kaolin RAT
aka KaolinTea
Kaolin RAT is a complex modular RAT, with Release_TMain_x64.dll as its internal DLL name.
Kaolin RAT is a complex modular RAT, with Release_TMain_x64.dll as its internal DLL name.
The malware provides standard backdoor functionality, including manipulation and listing of files and processes, exchanging the configuration, collecting the victim’s system info, opening a TCP connection, and executing local commands and collecting their outputs.
Also, it is designed to execute additional DLL payloads in memory via specific exported functions:
- _DoMyFunc,
- _DoMyFunc2,
- _DoMyThread,
- _DoMyCommandWork.
Functionally, Kaolin RAT relies on an accompanying trojanized curl library to handle network and exfiltration operations, by importing functions such as:
- SendDataFromURL,
- ZipFolder,
- UnzipStr,
- curl wrappers.
For C&C communication, it employs AES encryption and attempts to evade network detection by randomly selecting words from a hardcoded custom dictionary to populate POST request parameters. The malware's name is derived from one of these dictionary words ("kaolin").
The Kaolin RAT has been observed in Lazarus campaigns as a late-stage payload — typically following loaders like RollFling, RollSling, and RollMid — and serves also as a delivery vector for the FudModule rootkit with a 0-day exploit.
Family metadata imported from Malpedia (Fraunhofer FKIE).