The FortiMail IR team recently uncovered a new email campaign distributing a Remote Access Trojan (RAT) using multiple evasion techniques to target organizations in Spain, Italy, and Portugal. The campaign leverages the serviciodecorreo email service provider, which is configured as an authorized sender for various domains and successfully passes SPF validation.[1]
|
Affected platforms: Windows (primarily), Linux & macOS (if Java is installed) Impacted parties: Users on systems with Java Runtime Environment (JRE) installed Impact: Grants remote access to attackers, enabling them to execute commands, log keystrokes, access files, activate webcam/microphone, and fully control the infected system Severity level: High |
Additionally, it employs advanced evasion strategies, including the abuse of two file-sharing platforms, geolocation filtering, and Ngrok to create secure, obfuscated tunnels. These tactics further complicate detection and effectively mask the attack's true origin, ultimately facilitating the distribution of RATty malware.
This campaign highlights the increasing sophistication of malware attack methodologies, leveraging the legitimate functionalities of remote administration tools for malicious purposes.
Link to full report: IR-25-135-001_BadEmail.pdf
[1] https://www.fortinet.com/blog/threat-research/multilayered-email-attack-how-a-pdf-invoice-and-geofencing-led-to-rat-malware?lctg=141970831
Comments