A new phishing campaign has been observed delivering Remote Access Trojans (RAT) such as VCURMS and STRRAT using a malicious Java-based downloader. The attackers stored malware on public services like Amazon Web Services (AWS) and GitHub, employing a commercial protector to avoid detection of the malware, an unusual aspect of the campaign is VCURMS' use of a Proton Mail email address ("sacriliage@proton[.]me") for communicating with a command-and-control (C2) server.
The attack chain commences with a phishing email that urges recipients to click on a button to verify payment information, resulting in the download of a malicious JAR file ("Payment-Advice.jar") hosted on AWS. Executing the JAR file retrieves two more JAR files, which are then run separately to launch the twin trojans.[1]
In addition to sending an email with the message "Hey master, I am online" to the actor-controlled address, VCURMS RAT periodically checks the mailbox for emails with specific subject lines to extract the command to be executed from the body of the message. This includes running arbitrary commands using cmd.exe, gathering system information, searching and uploading files of interest, and downloading additional information stealer and keylogger modules from the same AWS endpoint.
The information stealer can siphon sensitive data from apps like Discord and Steam, credentials, cookies, and auto-fill data from various web browsers, screenshots, and extensive hardware and network information about the compromised hosts.
VCURMS shares similarities with another Java-based infostealer codenamed Rude Stealer, which emerged in the wild late last year. STRRAT, on the other hand, has been detected in the wild since at least 2020, often propagated in the form of fraudulent JAR files.STRRAT is a RAT built using Java, with a wide range of capabilities, such as serving as a keylogger and extracting credentials from browsers and applications.
The disclosure comes as Darktrace revealed a novel phishing campaign that's taking advantage of automated emails sent from the Dropbox cloud storage service via "no-reply@dropbox[.]com" to propagate a bogus link mimicking the Microsoft 365 login page. The email itself contained a link that would lead a user to a PDF file hosted on Dropbox that was seemingly named after a partner of the organization," the company said, "the PDF file contained a suspicious link to a domain that had never previously been seen on the customer's environment, 'mmv-security[.]top.'"
This article is presented at no charge for educational and informational purposes only.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments, or assistance, please get in touch with the office directly at 1-844-492-7225 or feedback@redskyalliance.com
- Reporting: https://www. redskyalliance. org/
- Website: https://www. redskyalliance. com/
- LinkedIn: https://www. LinkedIn. com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://attendee.gotowebinar.com/register/5504229295967742989
[1] https://thehackernews.com/2024/03/alert-cybercriminals-deploying-vcurms.html
Comments