Successful phishing campaigns typically combine sophisticated victim-deception tactics with layers of stealth, persistence, and advanced evasion techniques, so that threat actors can quietly maintain access across compromised systems and networks. A prime example is a new operation involving the use of a banking malware–turned–remote access Trojan (RAT) that researchers at Fortinet are tracking as "MostereRAT." It chains the use of an obscure programming language, security tool tampering, and the abuse of legitimate and widely used software to give cyberattackers covert, long-term control of victim environments.
In a recent report, Fortinet’s FortiGuard Labs warned the campaign represents a troubling escalation in attacker tactics, particularly about disabling antivirus (AV) and endpoint defenses, and concealing malicious activity by blending into normal IT activity. As for victimology, the campaign has so far targeted Microsoft Windows users in Japan, but the endgame remains unclear, says Yurren Wan, threat researcher with Fortinet's FortiGuard Labs. "The malware's design reflects long-term, strategic, and flexible objectives, with capabilities to extend functionality, deploy additional payloads, and apply evasion techniques," Wan says, "These features point to an intent to maintain persistent control over compromised systems, maximize the utility of victim resources, and retain ongoing access to valuable data," he warns.
The phishing campaign begins in familiar enough fashion, with malicious emails designed to lure Japanese Windows users into clicking on a link to a malicious website. The site then automatically downloads a weaponized Word document containing an embedded archive file. The phishing emails themselves masquerade as legitimate business correspondence and appear to be routine business inquiries.
The booby-trapped Word document acts as a vehicle of sorts for setting up the infrastructure and persistence mechanisms for deploying MostereRAT on the compromised system. One of the things that sets the malware apart is the fact that its modules are written in Easy Programming Language (EPL), a Chinese programming language that threat actors rarely use for malware development. The goal in using EPL, according to Fortinet, is to make it harder for defenders to detect and analyze the malware, because many security tools are not optimized to handle the language.
Once installed on a system, MostereRAT unpacks and executes its encrypted payload in stages. Fortinet's analysis showed the malware to consist of two main modules. One of them handles persistence, privilege escalation, AV evasion, and payload deployment. The other module provides core RAT functionality, and packs in as many as 37 command functions, support for secure two-way authenticated (mTLS) command-and-control communications, and remote access tool deployment.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@redskyalliance.com
Weekly Cyber Intelligence Briefings:
- Reporting: https://www. redskyalliance. org/
- Website: https://www.redskyalliance.com/
- LinkedIn: https://www. linkedin. com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://attendee.gotowebinar.com/register/5504229295967742989
https://www.darkreading.com/cyberattacks-data-breaches/mostererat-blocks-security-tools
Comments