New MODBEACON RAT Uses gRPC Streaming for Encrypted C2 Traffic

Summary

A new Rust-based remote access trojan (RAT) named MODBEACON has been discovered, attributed to the China-linked cybercrime group Silver Fox. Despite appearing unsophisticated with its use of SEO poisoning for malware distribution, MODBEACON utilizes gRPC streaming for encrypted Command and Control (C2) traffic, suggesting more advanced capabilities.

IFF Assessment

FOE

The development and deployment of new RATs by threat actors represents an increased risk and potential for compromise to systems and data.

Defender Context

Defenders should be aware of MODBEACON and the techniques used by Silver Fox, particularly the reliance on SEO poisoning for initial access and the use of gRPC for encrypted C2. Monitoring for unusual network traffic patterns, especially those involving gRPC, and ensuring robust endpoint detection and response (EDR) capabilities are crucial for mitigating this threat.

Read Full Story →