Trojan:Win32/Casdet!rfn is a detection that indicates the possible presence of malware on your system. Users may encounter this detection after using pirated software or opening suspicious email attachments. In certain cases, Casdet may be a false positive detection.
Casdet is a severe threat mainly used for reconnaissance and delivering other payloads to the device. It also collects some data about the system but can be modified for different tasks, such as direct information theft.
Trojan:Win32/Casdet!rfn Overview
Trojan:Win32/Casdet!rfn is a detection that Microsoft Defender mainly uses for remote access trojans (RATs). Such malware, as its name implies, provides remote access and is often used for reconnaissance and delivery of other malware. Casdet doesn’t usually collect a lot of information, but the payload it carries is what does the most damage. Aside from this, Casdet has a modular structure, which allows it to dynamically plug in modules it needs and act as an information stealer, for example.
Trojan:Win32/Casdet!rfn is usually spread via phishing emails and cracked software, spread through p2p networks. Rarely though it can turn out as a false positive, marking a legitimate file as malicious. Some users have complained about Trojan:Win32/Casdet!rfn detection after downloading and installing a legitimate Android emulator, e-books, or game mods. Let’s take a detailed look at how this malware works.
Detailed Analysis
First, let’s remember how a Remote Access Trojan (RAT) works. In general, RATs collect sensitive data and can be used for various purposes, including espionage and remote control of compromised devices. However, Casdet!rfn overall and the sample I was reviewing mostly works as a malware downloader. Let’s break down its actions step-by-step.
Initial Access
The sample of Casdet Trojan picked for this test was reaching the victim’s device through phishing emails. In some rare cases, hackers were picking a victim and targeting the emails on this specific person. Threat, or its loader usually hides within the attached file. Message body at the same time motivates the victim to run the attachment, lulling the vigilance.
Execution, Detection Evasion & Fingerprinting
Trojan:Win32/Casdet!rfn employs various techniques to evade detection by security systems. These techniques include obfuscation and checks for virtual machines or debuggers. The latter is done by listing the processes and checking registry keys that can contain information about the environment. Detection evasion, on the other hand, mostly relies on packing and obfuscation; the only trick the malware pulls during the execution is idling for several minutes at the start.
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage2\ProgramsCache
Additionally, it performs so-called geofencing through checking the language packs installed in the system. That’s a rather common tactic for different malware families, as the developers try to avoid attacking anything from their own country. Below, you can see the specific registry keys it scans for this.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack
HKCU\Software\Classes\Local Settings\MuiCache\130\52C64B7E\LanguageList
When malware infiltrates a system, it aims to establish persistence to ensure its continued operation and control. It abuses WerFault through the command I’ve pasted below to gain persistence and additional execution privileges. This allows it to maintain a foothold in the system even after reboots or security scans.
C:\Windows\system32\WerFault.exe -u -p 3560 -s 216
After these operations, Casdet collects basic information about the system. This system’s fingerprint serves to identify it and is unique to each system. While this information doesn’t contain valuable or sensitive data, it is a system fingerprint that is sent to the C2.
- OS version
- Username
- CPU and GPU
- IP address
- Display size
- Device vendor
- Installed software
- Network information
C2 Communications
The way Casdet malware communicates with the command server is nothing special. It carries a selection of IP addresses in its binary file, and decodes it when the time has come. Then, it forms the HTTP POST request, encrypts it, and sends it to the command server.
- 20.99.133.109:443
- 20.99.186.246:443
- 23.216.147.64:443
- 192.229.211.108:80
- 20.99.185.48:443
- 104.80.88.11:443
- 23.216.147.76:443
- 20.99.184.37:443
C2 in response will send a tiny blob of information that contains further instructions for the malware. Among them are uploading a specific file from the infected machine, executing the command, or connecting to the remote server to pull the payload and run it. All the supplementary info comes in the same response package.
Payload
Regarding payloads, this is where Trojan:Win32/Casdet!rfn shines: it can deploy literally any malware type. But most of the time, Casdet delivers ransomware, spyware, droppers and similar things. It runs the DllMain function from a DLL file in the user’s temporary folder using the rundll32.exe utility. The DllMain function is called when the DLL is loaded during system events like DLL_PROCESS_ATTACH and DLL_PROCESS_DETACH.
"C:\Windows\System32\rundll32.exe"
C:\Users\A4148~1.MON\AppData\Local\Temp\e8442b7f12ab7cb616c549181d39c10b.dll,DllMain
At the same time, Casdet has a modular structure, which allows it to act standalone when needed. This malware in particular was capable of getting infostealer functionality or extending its dropper functions. On top of what it is capable of by default, it makes a single sample of Casdet capable of performing a full-fledged cyberattack.
How To Remove Trojan:Win32/Casdet!rfn?
To remove Trojan:Win32/Casdet!rfn, I recommend using GridinSoft Anti-Malware. This program is resilient to the anti-detection techniques this malware uses, thanks to its multi-component detection system. Run a Full scan, let it finish and click “Clean Now” to remove all the malicious elements. The program will also take care of your system’s safety in future – give it a try.
