Trojan:Win32/Casdet!rfn

What is Trojan:Win32/Casdet!rfn detection?
Trojan:Win32/Casdet!rfn is a pretty nasty thing. I recommend removing it as soon as possible.

Trojan:Win32/Casdet!rfn is a detection that indicates the possible presence of malware on your system. Users may encounter this detection after using pirated software or opening suspicious email attachments. In certain cases, Casdet may be a false positive detection.

Casdet is a severe threat mainly used for reconnaissance and delivering other payloads to the device. It also collects some data about the system but can be modified for different tasks, such as direct information theft.

Trojan:Win32/Casdet!rfn Overview

Trojan:Win32/Casdet!rfn is a detection that Microsoft Defender mainly uses for remote access trojans (RATs). Such malware, as its name implies, provides remote access and is often used for reconnaissance and delivery of other malware. Casdet doesn’t usually collect a lot of information, but the payload it carries is what does the most damage. Aside from this, Casdet has a modular structure, which allows it to dynamically plug in modules it needs and act as an information stealer, for example.

Trojan:Win32/Casdet!rfn detection screenshot
Trojan:Win32/Casdet!rfn detection alert

Trojan:Win32/Casdet!rfn is usually spread via phishing emails and cracked software, spread through p2p networks. Rarely though it can turn out as a false positive, marking a legitimate file as malicious. Some users have complained about Trojan:Win32/Casdet!rfn detection after downloading and installing a legitimate Android emulator, e-books, or game mods. Let’s take a detailed look at how this malware works.

Detailed Analysis

First, let’s remember how a Remote Access Trojan (RAT) works. In general, RATs collect sensitive data and can be used for various purposes, including espionage and remote control of compromised devices. However, Casdet!rfn overall and the sample I was reviewing mostly works as a malware downloader. Let’s break down its actions step-by-step.

Initial Access

The sample of Casdet Trojan picked for this test was reaching the victim’s device through phishing emails. In some rare cases, hackers were picking a victim and targeting the emails on this specific person. Threat, or its loader usually hides within the attached file. Message body at the same time motivates the victim to run the attachment, lulling the vigilance.

Execution, Detection Evasion & Fingerprinting

Trojan:Win32/Casdet!rfn employs various techniques to evade detection by security systems. These techniques include obfuscation and checks for virtual machines or debuggers. The latter is done by listing the processes and checking registry keys that can contain information about the environment. Detection evasion, on the other hand, mostly relies on packing and obfuscation; the only trick the malware pulls during the execution is idling for several minutes at the start.

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage2\ProgramsCache

Additionally, it performs so-called geofencing through checking the language packs installed in the system. That’s a rather common tactic for different malware families, as the developers try to avoid attacking anything from their own country. Below, you can see the specific registry keys it scans for this.

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack
HKCU\Software\Classes\Local Settings\MuiCache\130\52C64B7E\LanguageList

When malware infiltrates a system, it aims to establish persistence to ensure its continued operation and control. It abuses WerFault through the command I’ve pasted below to gain persistence and additional execution privileges. This allows it to maintain a foothold in the system even after reboots or security scans.

C:\Windows\system32\WerFault.exe -u -p 3560 -s 216

After these operations, Casdet collects basic information about the system. This system’s fingerprint serves to identify it and is unique to each system. While this information doesn’t contain valuable or sensitive data, it is a system fingerprint that is sent to the C2.

  • OS version
  • Username
  • CPU and GPU
  • IP address
  • Display size
  • Device vendor
  • Installed software
  • Network information

C2 Communications

The way Casdet malware communicates with the command server is nothing special. It carries a selection of IP addresses in its binary file, and decodes it when the time has come. Then, it forms the HTTP POST request, encrypts it, and sends it to the command server.

  • 20.99.133.109:443
  • 20.99.186.246:443
  • 23.216.147.64:443
  • 192.229.211.108:80
  • 20.99.185.48:443
  • 104.80.88.11:443
  • 23.216.147.76:443
  • 20.99.184.37:443

C2 in response will send a tiny blob of information that contains further instructions> for the malware. Among them are uploading a specific file from the infected machine, executing the command, or connecting to the remote server to pull the payload and run it. All the supplementary info comes in the same response package.

Payload

Regarding payloads, this is where Trojan:Win32/Casdet!rfn shines: it can deploy literally any malware type. But most of the time, Casdet delivers ransomware, spyware, droppers and similar things. It runs the DllMain function from a DLL file in the user’s temporary folder using the rundll32.exe utility. The DllMain function is called when the DLL is loaded during system events like DLL_PROCESS_ATTACH and DLL_PROCESS_DETACH.

"C:\Windows\System32\rundll32.exe"
C:\Users\A4148~1.MON\AppData\Local\Temp\e8442b7f12ab7cb616c549181d39c10b.dll,DllMain

At the same time, Casdet has a modular structure, which allows it to act standalone when needed. This malware in particular was capable of getting infostealer functionality or extending its dropper functions. On top of what it is capable of by default, it makes a single sample of Casdet capable of performing a full-fledged cyberattack.

How To Remove Trojan:Win32/Casdet!rfn?

To remove Trojan:Win32/Casdet!rfn, I recommend using GridinSoft Anti-Malware. This program is resilient to the anti-detection techniques this malware uses, thanks to its multi-component detection system.

GridinSoft Anti-Malware main screen

Download and install Anti-Malware by clicking the button below. After the installation, run a Full scan: this will check all the volumes present in the system, including hidden folders and system files. Scanning will take around 15 minutes.

After the scan, you will see the list of detected malicious and unwanted elements. It is possible to adjust the actions that the antimalware program does to each element: click "Advanced mode" and see the options in the drop-down menus. You can also see extended information about each detection - malware type, effects and potential source of infection.

Scan results screen

Click "Clean Now" to start the removal process. Important: removal process may take several minutes when there are a lot of detections. Do not interrupt this process, and you will get your system as clean as new.

Removal finished

By Stephanie Adlam

I write about how to make your Internet browsing comfortable and safe. The modern digital world is worth being a part of, and I want to show you how to do it properly.

Leave a comment

Your email address will not be published. Required fields are marked *