Fake NVIDIA Software!

Overview

Researchers at Blackpoint Cyber’s Adversary Pursuit Group (APG) have uncovered a new Rust-based remote access tool (RAT) dubbed LabubaRAT, which disguises itself as legitimate NVIDIA software to infiltrate Windows systems. Distributed as nvidia-sysruntime.exe, the malware leverages fake vendor metadata and runtime artifacts to blend into enterprise environments while granting attackers full control over infected hosts.

Masquerade as NVIDIA Software

LabubaRAT presents itself as NVIDIA’s Container Runtime Monitor, complete with spoofed version information and vendor references.

  • Fake metadata — claims NVIDIA Corporation identity.
  • Mutex identityLocal\NVIDIAContainerMonitor_SingleInstance.
  • SQLite databasenvctr_sys.db stores enrollment data and runtime state.

Despite its NVIDIA branding, forensic analysis revealed Rust build paths and compile artifacts exposing its true nature as a malicious implant.

Flexible Malware-as-a-Service Design

Unlike malware with hardcoded infrastructure, LabubaRAT accepts runtime configuration via command-line arguments or environment variables.

  • Organization Target--org / ZM_ORG.
  • Authentication Token--key / ZM_KEY.
  • C2 Destination--server / ZM_SERVER.
  • Campaign Group--group / ZM_GROUP.

A Base64‑encoded –b parameter packs these values together. APG decoded one deployment showing:

  • Organization: luxespa
  • Group: rabbit
  • C2 server: pipicka[.]xyz

This modular design suggests a Malware-as-a-Service model, enabling multiple campaigns from a single binary.

Command & Control Channels

LabubaRAT supports three resilient C2 methods:

  • HTTPS polling — via Rust libraries like reqwest and tokio.
  • WebView2 communication — mimics browser traffic with embedded JavaScript.
  • DNS tunneling — Base32‑encoded payload chunking.

This redundancy ensures operators maintain access even if one channel is blocked.

Capabilities & Persistence

Once enrolled, LabubaRAT profiles the host and awaits operator commands. Supported actions include:

  • Shell & PowerShell execution.
  • JavaScript execution.
  • Screenshot capture.
  • File upload/download.
  • SOCKS5 proxy relaying.

Persistence is achieved via an HKCU Run key, configurable with –install and –uninstall flags.

Detection & Defense

Blackpoint Cyber recommends defenders:

  • Hunt for unsigned binaries claiming NVIDIA identity.
  • Scrutinize Base64 arguments tied to autorun entries.
  • Search for nvctr_sys.db artifacts.
  • Monitor outbound traffic for:
    • Browser‑spoofed User‑Agents with bearer authentication.
    • WebView2 requests.
    • High‑entropy DNS queries.

Expert in the Cloud Insight

LabubaRAT exemplifies how modern malware blends into trusted ecosystems by impersonating legitimate software vendors. Its Rust foundation, flexible configuration, and multi‑channel C2 resilience make it a potent threat for enterprises.

For defenders, the lesson is clear: identity masquerade detection, runtime artifact analysis, and proactive traffic monitoring are essential to stop such stealthy implants before they establish persistent footholds.

Be the first to comment

Leave a Reply

Your email address will not be published.


*


This site uses Akismet to reduce spam. Learn how your comment data is processed.