Cybersecurity researchers have disclosed details of a phishing campaign that delivers a stealthy banking malware-turned-remote access trojan called MostereRAT.
The phishing attack incorporates a number of advanced evasion techniques to gain complete control over compromised systems, siphon sensitive data, and extend its functionality by serving secondary plugins, Fortinet FortiGuard Labs said.
"These include the use of an Easy Programming Language (EPL) to develop a staged payload, concealing malicious operations and disabling security tools to prevent alert triggers, securing command-and-control (C2) communications using mutual TLS (mTLS), supporting various methods for deploying additional payloads, and even installing popular remote access tools," Yurren Wan said.
EPL is an obscure visual programming language that supports traditional Chinese, simplified Chinese, English, and Japanese variants. It's chiefly meant for users who may not be proficient in English.
The emails, which are primarily designed to target Japanese users, leverage lures related to business inquiries to deceive recipients into clicking on malicious links that take them to an infected site to download a booby-trapped document -- a Microsoft Word file that embeds a ZIP archive.
Present within the ZIP file is an executable that, in turn, triggers the execution of MostereRAT, which is then used to drop several tools like AnyDesk, TigerVNC, and TightVNC using modules written in EPL. A noteworthy aspect of the malware is its ability to disable Windows security mechanisms and block network traffic associated with a hard-coded list of security programs, thereby allowing it to sidestep detection.
"This traffic-blocking technique resembles that of the known red team tool 'EDRSilencer,' which uses Windows Filtering Platform (WFP) filters at multiple stages of the network communication stack, effectively preventing it from connecting to its servers and from transmitting detection data, alerts, event logs, or other telemetry," Wan said.
Another is its ability to run as TrustedInstaller, a built-in Windows system account with elevated permissions, enabling it to interfere with critical Windows processes, modify Windows Registry entries, and delete system files.
Furthermore, one of the modules deployed by MostereRAT is equipped to monitor foreground window activity associated with Qianniu - Alibaba's Seller Tool, log keystrokes, send heartbeat signals to an external server, and process commands issued by the server.
The commands allow it to collect victim host details, run DLL, EPK, or EXE files, load shellcode, read/write/delete files, download and inject an EXE into svchost.exe using Early Bird Injection, enumerate users, capture screenshots, facilitate RDP logins, and even create and add a hidden user to the administrators group.
"These tactics significantly increase the difficulty of detection, prevention, and analysis," Fortinet said. "In addition to keeping your solution updated, educating users about the dangers of social engineering remains essential."
ClickFix Gets Another Novel Twist
The findings coincide with the emergence of another campaign that employs "ClickFix-esque techniques" to distribute a commodity information stealer known as MetaStealer to users searching for tools like AnyDesk.
The attack chain involves serving a fake Cloudflare Turnstile page before downloading the supposed AnyDesk installer, and prompts them to click on a check box to complete a verification step. However, this action triggers a pop-up message asking them to open Windows File Explorer.
Once the Windows File Explorer is opened, PHP code concealed in the Turnstile verification page is configured to employ the "search-ms:" URI protocol handler to display a Windows shortcut (LNK) file disguised as a PDF that's hosted on an attacker's site.
The LNK file, for its part, activates a series of steps to gather the hostname and run an MSI package that's ultimately responsible for dropping MetaStealer.
"These types of attacks that require some level of manual interaction from the victim, as they work to 'fix' the purported broken process themselves, work in part because they can potentially circumvent security solutions," Huntress said. "Threat actors are continuing to move the needle in their infection chains, throwing a wrench into detection and prevention."
The disclosure also comes as CloudSEK detailed a novel adaptation of the ClickFix social engineering tactic that leverages invisible prompts using CSS-based obfuscation methods to weaponize AI systems and produce summaries that include attacker-controlled ClickFix instructions.
The proof-of-concept (PoC) attack is accomplished by using a strategy called prompt overdose, wherein the payload is embedded within HTML content extensively so that it dominates a large language model's context window in order to steer its output.
"This approach targets summarizers embedded in applications such as email clients, browser extensions, and productivity platforms," the company said. "By exploiting the trust users place in AI-generated summaries, the method covertly delivers malicious step-by-step instructions that can facilitate ransomware deployment."
"Prompt overdose is a manipulation technique that overwhelms an AI model's context window with high-density, repeated content to control its output. By saturating the input with attacker-chosen text, legitimate context is pushed aside, and the model's attention is consistently drawn back to the injected payload."
