Security news that informs and inspires

Attackers Deploy Multiple RATs in Phishing Campaign


Researchers observed a phishing campaign that relied on "complex" obfuscation tactics in order to deliver a tangle of different RATs, which aimed to gain access to victims’ systems and steal their information.

The malware campaign, first discovered in October, targeted victims primarily across the U.S., Italy and Singapore. Researchers with Cisco Talos that observed the campaign said the initial infection vector was a phishing email, which purported to contain an attachment with a fake invoice document. The attachment instead was a malicious ZIP file, containing an ISO image file with the loader, which was in JavaScript, Visual Basic Script or a Windows batch file format.

The campaign is “a great example of the challenges enterprises face with a malicious email using an obscure attachment type (.iso), a bunch of obfuscated malicious intent, ending with delivery of a remote access tool,” said Nick Biasini, head of Outreach with Cisco Talos. “Organizations deal with these challenges all the time, this is just a great example of the day-to-day challenges they face.”

Of note, the campaign used four levels of obfuscation for its downloader, which made it difficult for researchers to identify the true purpose of the malware and potentially could increase the longevity of the campaign, said Biasini.

When the initial script was executed, it connected to a server to download the next-stage malware, which was hosted on an Azure Cloud-based Windows server or an AWS EC2 instance, said researchers. Attackers also registered several malicious subdomains using free DNS service DuckDNS in order to deliver the malware payload.

The utilization of common cloud services and platforms by attackers throughout their operations - for initial access, data exfiltration and for storage, for instance - is a continuing trend that has been previously observed by researchers.

"These types of cloud services like Azure and AWS allow attackers to set up their infrastructure and connect to the internet with minimal time or monetary commitments."

“Threat actors are increasingly using cloud technologies to achieve their objectives without having to resort to hosting their own infrastructure,” said Cisco Talos researchers. “These types of cloud services like Azure and AWS allow attackers to set up their infrastructure and connect to the internet with minimal time or monetary commitments. It also makes it more difficult for defenders to track down the attackers’ operations.”

The final payloads included the Nanocore RAT, which was first uncovered in 2013 and has a variety of capabilities, including the ability to steal passwords, tamper and view footage from webcams, downloading and stealing files and more. Other RATs used in the campaign included Netwire, a RAT that’s focused on password stealing and keylogging, which has remote control capabilities; and AsyncRAT, an open-source remote administration tool that is often used for malicious purposes due to its keylogger remote desktop control functionalities. However, while these RATs have multiple functionalities aimed at stealing specific sensitive data, “increasingly it’s the access that we see monetized directly" by attackers, said Biasini.

“Instead of going after specific data or goals they instead will try and sell the access they have achieved to others trying to further the compromise like various ransomware cartels and the associated affiliates,” he said.

In order to protect against this campaign, researchers urged enterprises to deploy “comprehensive multi-layered security controls to detect similar threats and safeguard their assets.”

“Defenders should monitor traffic to their organization and implement robust rules around the script execution policies on their endpoints,” said Cisco Talos researchers. “It is even more important for organizations to improve email security to detect and mitigate malicious email messages and break the infection chain as early as possible.”