A brand new phishing marketing campaign has been noticed delivering distant entry trojans (RAT) equivalent to VCURMS and STRRAT by the use of a malicious Java-based downloader.
“The attackers saved malware on public companies like Amazon Net Providers (AWS) and GitHub, using a business protector to keep away from detection of the malware,” Fortinet FortiGuard Labs researcher Yurren Wan stated.
An uncommon side of the marketing campaign is VCURMS’ use of a Proton Mail electronic mail tackle (“sacriliage@proton[.]me”) for speaking with a command-and-control (C2) server.
The assault chain commences with a phishing electronic mail that urges recipients to click on on a button to confirm fee info, ensuing within the obtain of a malicious JAR file (“Cost-Recommendation.jar”) hosted on AWS.
Executing the JAR file results in the retrieval of two extra JAR information, that are then run individually to launch the dual trojans.
Apart from sending an electronic mail with the message “Hey grasp, I’m on-line” to the actor-controlled tackle, VCURMS RAT periodically checks the mailbox for emails with particular topic strains to extract the command to be executed from the physique of the missive.
This consists of operating arbitrary instructions utilizing cmd.exe, gathering system info, looking and importing information of curiosity, and downloading further info stealer and keylogger modules from the identical AWS endpoint.
The data stealer comes fitted with capabilities to siphon delicate information from apps like Discord and Steam, credentials, cookies, and auto-fill information from varied internet browsers, screenshots, and in depth {hardware} and community details about the compromised hosts.
VCURMS is alleged to share similarities with one other Java-based infostealer codenamed Impolite Stealer, which emerged within the wild late final 12 months. STRRAT, however, has been detected within the wild since at the least 2020, typically propagated within the type of fraudulent JAR information.
“STRRAT is a RAT constructed utilizing Java, which has a variety of capabilities, equivalent to serving as a keylogger and extracting credentials from browsers and functions,” Wan famous.
The disclosure comes as Darktrace revealed a novel phishing marketing campaign that is profiting from automated emails despatched from the Dropbox cloud storage service by way of “no-reply@dropbox[.]com” to propagate a bogus hyperlink mimicking the Microsoft 365 login web page.
“The e-mail itself contained a hyperlink that may lead a consumer to a PDF file hosted on Dropbox, that was seemingly named after a accomplice of the group,” the corporate stated. “the PDF file contained a suspicious hyperlink to a site that had by no means beforehand been seen on the shopper’s surroundings, ‘mmv-security[.]high.'”
