Remote Access Trojan | Breaking Cybersecurity News | The Hacker News

Cybersecurity researchers have shed light on a new remote access trojan and information stealer used by Iranian state-sponsored actors to conduct reconnaissance of compromised endpoints and execute malicious commands. Cybersecurity company Check Point has codenamed the malware WezRat , stating it has been detected in the wild since at least September 1, 2023, based on artifacts uploaded to the VirusTotal platform. "WezRat can execute commands, take screenshots, upload files, perform keylogging, and steal clipboard content and cookie files," it said in a technical report. "Some functions are performed by separate modules retrieved from the command and control (C&C) server in the form of DLL files, making the backdoor's main component less suspicious." WezRat is assessed to be the work of Cotton Sandstorm, an Iranian hacking group that's better known under the cover names Emennet Pasargad and, more recently, Aria Sepehr Ayandehsazan (ASA). The malware w...

In an unusually specific campaign, users searching about the legality of Bengal Cats in Australia are being targeted with the GootLoader malware. "In this case, we found the GootLoader actors using search results for information about a particular cat and a particular geography being used to deliver the payload: 'Are Bengal Cats legal in Australia?,'" Sophos researchers Trang Tang, Hikaru Koike, Asha Castle, and Sean Gallagher said in a report published last week. GootLoader , as the name implies, is a malware loader that's typically distributed using search engine optimization (SEO) poisoning tactics for initial access. Specifically, the malware is deployed onto victim machines when searching for certain terms like legal documents and agreements on search engines like Google surface booby-trapped links pointing to compromised websites that host a ZIP archive containing a JavaScript payload. Once installed, it makes way for a second-stage malware, often an...

Vulnerability Management (VM) has long been a cornerstone of organizational cybersecurity. Nearly as old as the discipline of cybersecurity itself, it aims to help organizations identify and address potential security issues before they become serious problems. Yet, in recent years, the limitations of this approach have become increasingly evident.  At its core, Vulnerability Management processes remain essential for identifying and addressing weaknesses. But as time marches on and attack avenues evolve, this approach is beginning to show its age. In a recent report, How to Grow Vulnerability Management into Exposure Management (Gartner, How to Grow Vulnerability Management Into Exposure Management, 8 November 2024, Mitchell Schneider Et Al.), we believe Gartner® addresses this point precisely and demonstrates how organizations can – and must – shift from a vulnerability-centric strategy to a broader Exposure Management (EM) framework. We feel it's more than a worthwhile read an...

Cybersecurity researchers have discovered a new phishing campaign that spreads a new fileless variant of known commercial malware called Remcos RAT . Remcos RAT "provides purchases with a wide range of advanced features to remotely control computers belonging to the buyer," Fortinet FortiGuard Labs researcher Xiaopeng Zhang said in an analysis published last week. "However, threat actors have abused Remcos to collect sensitive information from victims and remotely control their computers to perform further malicious acts." The starting point of the attack is a phishing email that uses purchase order-themed lures to convince recipients to open a Microsoft Excel attachment. The malicious Excel document is designed to exploit a known remote code execution flaw in Office ( CVE-2017-0199 , CVSS score: 7.8) to download an HTML Application (HTA) file ("cookienetbookinetcahce.hta") from a remote server ("192.3.220[.]22") and launch it using mshta.e...

Russian-speaking users have become the target of a new phishing campaign that leverages an open-source phishing toolkit called Gophish to deliver DarkCrystal RAT (aka DCRat) and a previously undocumented remote access trojan dubbed PowerRAT. "The campaign involves modular infection chains that are either Maldoc or HTML-based infections and require the victim's intervention to trigger the infection chain," Cisco Talos researcher Chetan Raghuprasad said in a Tuesday analysis. The targeting of Russian-speaking users is an assessment derived from the language used in the phishing emails, the lure content in the malicious documents, links masquerade as Yandex Disk ("disk-yandex[.]ru"), and HTML web pages disguised as VK, a social network predominantly used in the country. Gophish refers to an open-source phishing framework that allows organizations to test their phishing defenses by leveraging easy-to-use templates and launch email-based campaigns that can the...

Threat actors with ties to North Korea have been observed delivering a previously undocumented backdoor and remote access trojan (RAT) called VeilShell as part of a campaign targeting Cambodia and likely other Southeast Asian countries. The activity, dubbed SHROUDED#SLEEP by Securonix, is believed to be the handiwork of APT37 , which is also known as InkySquid, Reaper, RedEyes, Ricochet Chollima, Ruby Sleet, and ScarCruft. Active since at least 2012, the adversarial collective is assessed to be part of North Korea's Ministry of State Security (MSS). Like with other state-aligned groups, those affiliated with North Korea, including the Lazarus Group and Kimsuky, vary in their modus operandi and likely have ever-evolving objectives based on state interests. A key malware in its toolbox is RokRAT (aka Goldbackdoor), although the group has also developed custom tools to facilitate covert intelligence gathering. It's currently not known how the first stage payload, a ZIP arc...

Transportation and logistics companies in North America are the target of a new phishing campaign that delivers a variety of information stealers and remote access trojans (RATs). The activity cluster, per Proofpoint, makes use of compromised legitimate email accounts belonging to transportation and shipping companies so as to inject malicious content into existing email conversations. As many as 15 breached email accounts have been identified as used as part of the campaign. It's currently not clear how these accounts are infiltrated in the first place or who is behind the attacks. "Activity which occurred from May to July 2024 predominately delivered Lumma Stealer, StealC, or NetSupport," the enterprise security firm said in an analysis published Tuesday. "In August 2024, the threat actor changed tactics by employing new infrastructure and a new delivery technique, as well as adding payloads to deliver DanaBot and Arechclient2." The attack chains invol...

A previously undocumented malware called SambaSpy is exclusively targeting users in Italy via a phishing campaign orchestrated by a suspected Brazilian Portuguese-speaking threat actor. "Threat actors usually try to cast a wide net to maximize their profits, but these attackers are focused on just one country," Kaspersky said in a new analysis. "It's likely that the attackers are testing the waters with Italian users before expanding their operation to other countries." The starting point of the attack is a phishing email that either includes an HTML attachment or an embedded link that initiates the infection process. Should the HTML attachment be opened, a ZIP archive containing an interim downloader or dropper is used to deploy and launch the multi-functional RAT payload. The downloader, for its part, is responsible for fetching the malware from a remote server. The dropper, on the other hand, does the same thing, but extracts the payload from the archive...

The Colombian insurance sector is the target of a threat actor tracked as Blind Eagle with the end goal of delivering a customized version of a known commodity remote access trojan (RAT) referred to as Quasar RAT since June 2024. "Attacks have originated with phishing emails impersonating the Colombian tax authority," Zscaler ThreatLabz researcher Gaetano Pellegrino said in a new analysis published last week. The advanced persistent threat (APT), also known as AguilaCiega, APT-C-36, and APT-Q-98, has a track record of focusing on organizations and individuals in South America, particularly related to the government and finance sectors in Colombia and Ecuador. The attack chains, as recently documented by Kaspersky, originate with phishing emails that entice recipients into clicking on malicious links that serve as the launchpad for the infection process. The links, either embedded within a PDF attachment or directly in the email body, point to ZIP archives hosted on ...

Threat actors are likely employing a tool designated for red teaming exercises to serve malware, according to new findings from Cisco Talos. The program in question is a payload generation framework called MacroPack , which is used to generate Office documents, Visual Basic scripts, Windows shortcuts, and other formats for penetration testing and social engineering assessments. It was developed by French developer Emeric Nasi. The cybersecurity company said it found artifacts uploaded to VirusTotal from China, Pakistan, Russia, and the U.S. that were all generated by MacroPack and used to deliver various payloads such as Havoc, Brute Ratel , and a new variant of PhantomCore , a remote access trojan (RAT) attributed to a hacktivist group named Head Mare. "A common feature in all the malicious documents we dissected that caught our attention is the existence of four non-malicious VBA subroutines," Talos researcher Vanja Svajcer said . "These subroutines appeared...

A new remote access trojan called MoonPeak has been discovered as being used by a state-sponsored North Korean threat activity cluster as part of a new campaign. Cisco Talos attributed the malicious cyber campaign to a hacking group it tracks as UAT-5394, which it said exhibits some level of tactical overlaps with a known nation-state actor codenamed Kimsuky . MoonPeak, under active development by the threat actor, is a variant of the open-source Xeno RAT malware, which was previously deployed as part of phishing attacks that were designed to retrieve the payload from actor-controlled cloud services like Dropbox, Google Drive, and Microsoft OneDrive. Some of the key features of Xeno RAT include the ability to load additional plugins, launch and terminate processes, and communicate with a command-and-control (C2) server. Talos said the commonalities between the two intrusion sets either indicate UAT-5394 is actually Kimsuky (or its sub-group) or it's another hacking crew wi...

Cybersecurity researchers have shed light on a threat actor known as Blind Eagle that has persistently targeted entities and individuals in Colombia, Ecuador, Chile, Panama, and other Latin American nations. Targets of these attacks span several sectors, including governmental institutions, financial companies, energy and oil and gas companies. "Blind Eagle has demonstrated adaptability in shaping the objectives of its cyberattacks and the versatility to switch between purely financially motivated attacks and espionage operations," Kaspersky said in a Monday report. Also referred to as APT-C-36, Blind Eagle is believed to be active since at least 2018. The suspected Spanish-speaking group is known for using spear-phishing lures to distribute various publicly available remote access trojans such as AsyncRAT, BitRAT, Lime RAT, NjRAT, Quasar RAT, and Remcos RAT. Earlier this March, eSentire detailed the adversary's use of a malware loader called Ande Loader to propa...

A new type of malware called UULoader is being used by threat actors to deliver next-stage payloads like Gh0st RAT and Mimikatz . The Cyberint Research Team, which discovered the malware, said it's distributed in the form of malicious installers for legitimate applications targeting Korean and Chinese speakers. There is evidence pointing to UULoader being the work of a Chinese speaker due to the presence of Chinese strings in program database (PDB) files embedded within the DLL file. "UULoader's 'core' files are contained in a Microsoft Cabinet archive (.cab) file which contains two primary executables (an .exe and a .dll) which have had their file header stripped," the company said in a technical report shared with The Hacker News. One of the executables is a legitimate binary that's susceptible to DLL side-loading, which is used to sideload the DLL file that ultimately loads the final stage, an obfuscate file named "XamlHost.sys" that...

Chinese-speaking users are the target of an ongoing campaign that distributes a malware known as ValleyRAT. "ValleyRAT is a multi-stage malware that utilizes diverse techniques to monitor and control its victims and deploy arbitrary plugins to cause further damage," Fortinet FortiGuard Labs researchers Eduardo Altares and Joie Salvio said . "Another noteworthy characteristic of this malware is its heavy usage of shellcode to execute its many components directly in memory, significantly reducing its file footprint in the victim's system." Details about the campaign first emerged in June 2024, when Zscaler ThreatLabz detailed attacks involving an updated version of the malware. Exactly how the latest iteration of ValleyRAT is distributed is currently not known, although previous campaigns have leveraged email messages containing URLs pointing to compressed executables. "Based on the filenames of the executables we found, they're likely using phis...

Cybersecurity researchers have uncovered a new Android remote access trojan (RAT) called BingoMod that not only performs fraudulent money transfers from the compromised devices but also wipes them in an attempt to erase traces of the malware. Italian cybersecurity firm Cleafy, which discovered the RAT towards the end of May 2024, said the malware is under active development. It attributed the Android trojan to a likely Romanian-speaking threat actor owing to the presence of Romanian language comments in the source code associated with early versions. "BingoMod belongs to the modern RAT generation of mobile malware, as its remote access capabilities allow threat actors (TAs) to conduct Account Takeover (ATO) directly from the infected device, thus exploiting the on-device fraud (ODF) technique," researchers Alessandro Strino and Simone Mattia said . It's worth mentioning here that this technique has been observed in other Android banking trojans, such as Medusa (aka...

The remote access trojan known as Gh0st RAT has been observed being delivered by an "evasive dropper" called Gh0stGambit as part of a drive-by download scheme targeting Chinese-speaking Windows users. These infections stem from a fake website ("chrome-web[.]com") serving malicious installer packages masquerading as Google's Chrome browser, indicating that users searching for the software on the web are being singled out. Gh0st RAT is a long-standing malware that has been observed in the wild since 2008, manifesting in the form of different variants over the years in campaigns primarily orchestrated by China-nexus cyberespionage groups. Some iterations of the trojan have also been previously deployed by infiltrating poorly-secured MS SQL server instances, using it as a conduit to install the Hidden open-source rootkit. According to cybersecurity firm eSentire, which discovered the latest activity, the targeting of Chinese-speaking users is based on ...

The threat actor known as Patchwork has been linked to a cyber attack targeting entities with ties to Bhutan to deliver the Brute Ratel C4 framework and an updated version of a backdoor called PGoShell. The development marks the first time the adversary has been observed using the red teaming software, the Knownsec 404 Team said in an analysis published last week. The activity cluster, also called APT-C-09, Dropping Elephant, Operation Hangover, Viceroy Tiger, and Zinc Emerson, is a state-sponsored actor likely of Indian origin. Known for conducting spear-phishing and watering hole attacks against China and Pakistan, the hacking crew is believed to be active since at least 2009, according to data shared by Chinese cybersecurity firm QiAnXin. Last July, Knownsec 404 disclosed details of an espionage campaign aimed at universities and research organizations in China that leveraged a .NET-based implant codenamed EyeShell to fetch and execute commands from an attacker-controlled ...

The JavaScript downloader malware known as SocGholish (aka FakeUpdates) is being used to deliver a remote access trojan called AsyncRAT as well as a legitimate open-source project called BOINC. BOINC , short for Berkeley Open Infrastructure Network Computing Client, is an open-source "volunteer computing" platform maintained by the University of California with an aim to carry out "large-scale distributed high-throughput computing" using participating home computers on which the app is installed. "It's similar to a cryptocurrency miner in that way (using computer resources to do work), and it's actually designed to reward users with a specific type of cryptocurrency called Gridcoin, designed for this purpose," Huntress researchers Matt Anderson, Alden Schmidt, and Greg Linares said in a report published last week. These malicious installations are designed to connect to an actor-controlled domain ("rosettahome[.]cn" or "rosettah...