csharp-streamer: Peeking under the hood


An unusual attack tool has caught the attention and piqued the curiosity of G DATA analyst Hendrik Eckardt. The discovered RAT (Remote Access Tool) is apparently designed for networks where people take an annoyingly close - for the attackers - look at what is happening.

The malware, called CSharp-Streamer, stands out first because it is installed using a heavily obfuscated Powershell script. Undoing this obfuscation in order to find out what the script does is extremely tedious, although possible.

Tried & Tested

Under the hood, however, things are quite straightforward - not only is there no obfuscation, but the software immediately reveals what you are dealing with. The malware is not entirely new either, even if there are only a few publications on it so far. CSharp-streamer was first spotted "in the wild" in 2021 and has not changed significantly since then.

There is a hodgepodge of different tools, all of which are freely available (e.g. on Github). From keyloggers and a variant of Mimikatz to injection tools for DLL files, there is a lot on offer. The range of functions goes beyond that of other RATs: in addition to a keylogger, there is also a tool that can upload files directly to a file hosting service (in this case "MEGA") via a corresponding API.


The tool is obviously designed to prepare the rollout of ransomware. The most important functions for this - stealing access data, exploring the network to spread laterally and tapping information - are available. In other words, csharp-streamer has all the means for the now almost classic double extortion. If affected companies do not pay a ransom for decryption, the perpetrators threaten to publish the captured data on the Internet. It can safely be assumed that groups of criminals follow through on these threats in the majority of cases.


A special feature is one of the options that csharp-streamer uses for communication.  In addition to the "normal" routes via TCP packets, csharp-streamer also has an option to package its own communication in ICMP data packets. This option is used when other communication protocols cannot get past a firewall. Although this is not completely uncommon, it is nevertheless unusual. The background to this tactic: ICMP traffic is not checked in many networks and therefore flies "under the radar". This makes communication as a whole more resistant to restrictive firewall configurations. Such restrictive control by firewalls is not common in most smaller networks, which suggests that csharp-streamer is designed for use in larger corporate networks where there are more restrictions imposed by firewalls.

„The REvil that men do “

This is underpinned by the fact that the group of attackers has certain links to the notorious REvil group, which has at least officially disbanded - or been disbanded through arrests. This group has already made headlines in the past with spectacular attacks on Kaseya, for example. One assumption is that individuals or entire teams who originally worked for REvil have switched to this group. Because even in the underworld, you have a lot of revolving doors.

All technical details about csharp-streamer can be found in our  Analysis on the blog of G DATA Advanced Analytics at www.cyber.wtf.