Cybersecurity researchers have disclosed details of a phishing campaign that delivers a stealthy banking malware-turned-remote access trojan called MostereRAT.
The phishing attack incorporates a number of advanced evasion techniques to gain complete control over compromised systems, siphon sensitive data, and extend its functionality by serving secondary plugins, Fortinet FortiGuard Labs said.
“These include the use of an Easy Programming Language (EPL) to develop a staged payload, concealing malicious operations and disabling security tools to prevent alert triggers, securing command-and-control (C2) communications using mutual TLS (mTLS), supporting various methods for deploying additional payloads, and even installing popular remote access tools,” Yurren Wan said.
EPL is an obscure visual programming language that supports traditional Chinese, simplified Chinese, English, and Japanese variants. It’s chiefly meant for users who may not be proficient in English.
The emails, which are primarily designed to target Japanese users, leverage lures related to business inquiries to deceive recipients into clicking on malicious links that take them to an infected site to download a booby-trapped document — a Microsoft Word file that embeds a ZIP archive.
Present within the ZIP file is an executable that, in turn, triggers the execution of MostereRAT, which is then used to drop several tools like AnyDesk, TigerVNC, and TightVNC using modules written in EPL. A noteworthy aspect of the malware is its ability to disable Windows security mechanisms and block network traffic associated with a hard-coded list of security programs, thereby allowing it to sidestep detection.
“This traffic-blocking technique resembles that of the known red team tool ‘EDRSilencer,’ which uses Windows Filtering Platform (WFP) filters at multiple stages of the network communication stack, effectively preventing it from connecting to its servers and from transmitting detection data, alerts, event logs, or other telemetry,” Wan said.
Another is its ability to run as TrustedInstaller, a built-in Windows system account with elevated permissions, enabling it to interfere with critical Windows processes, modify Windows Registry entries, and delete system files.
Furthermore, one of the modules deployed by MostereRAT is equipped to monitor foreground window activity associated with Qianniu – Alibaba’s Seller Tool, log keystrokes, send heartbeat signals to an external server, and process commands issued by the server.
The commands allow it to collect victim host details, run DLL, EPK, or EXE files, load shellcode, read/write/delete files, download and inject an EXE into svchost.exe using Early Bird Injection, enumerate users, capture screenshots, facilitate RDP logins, and even create and add a hidden user to the administrators group.
“These tactics significantly increase the difficulty of detection, prevention, and analysis,” Fortinet said. “In addition to keeping your solution…
Source link
Disclaimer
We strive to uphold the highest ethical standards in all of our reporting and coverage. We blogs.grocliq.com want to be transparent with our readers about any potential conflicts of interest that may arise in our work. It’s possible that some of the investors we feature may have connections to other businesses, including competitors or companies we write about. However, we want to assure our readers that this will not have any impact on the integrity or impartiality of our reporting. We are committed to delivering accurate, unbiased news and information to our audience, and we will continue to uphold our ethics and principles in all of our work. Thank you for your trust and support.
Website Upgradation is going on for any glitch kindly connect at [email protected]
