The Hacker News Logo
Subscribe to Newsletter
CrowdSec

The Hacker News - Cybersecurity News and Analysis: Remote Access Trojan

Researchers Find New Malware Attacks Targeting Russian Government Entities

Researchers Find New Malware Attacks Targeting Russian Government Entities
May 25, 2022Ravie Lakshmanan
An unknown advanced persistent threat (APT) group has been linked to a series of spear-phishing attacks targeting Russian government entities since the onset of the Russo-Ukrainian war in late February 2022. "The campaigns [...] are designed to implant a Remote Access Trojan (RAT) that can be used to surveil the computers it infects, and run commands on them remotely," Malwarebytes  said  in a technical report published Tuesday. The cybersecurity company attributed the attacks with low confidence to a Chinese hacking group, citing infrastructure overlaps between the RAT and Sakula Rat malware used by a threat actor known as  Deep Panda . The attack chains, while leveraging different lures over the course of two months, all employed the same malware barring small differences in the source code. The campaign is said to have commenced around February 26, days after Russia's military invasion of Ukraine, with the emails distributing the RAT under the guise of an interac

Researchers Warn of Nerbian RAT Targeting Entities in Italy, Spain, and the U.K.

Researchers Warn of Nerbian RAT Targeting Entities in Italy, Spain, and the U.K.
May 11, 2022Ravie Lakshmanan
A previously undocumented remote access trojan (RAT) written in the Go programming language has been spotted disproportionately targeting entities in Italy, Spain, and the U.K. Called  Nerbian RAT  by enterprise security firm Proofpoint, the novel malware leverages COVID-19-themed lures to propagate as part of a low volume email-borne phishing campaign that started on April 26, 2022. "The newly identified Nerbian RAT leverages multiple anti-analysis components spread across several stages, including multiple open-source libraries," Proofpoint researchers  said  in a report shared with The Hacker News.  "It is written in operating system (OS) agnostic Go programming language, compiled for 64-bit systems, and leverages several encryption routines to further evade network analysis." The messages, amounting to less than 100 in number, purport to be from the World Health Organization about safety measures related to COVID-19, urging potential victims to open a macr

Chinese Hackers Targeting Russian Military Personnel with Updated PlugX Malware

Chinese Hackers Targeting Russian Military Personnel with Updated PlugX Malware
April 27, 2022Ravie Lakshmanan
A China-linked government-sponsored threat actor observed striking European diplomatic entities in March may have been targeting Russian government officials with an updated version of a remote access trojan called  PlugX . Secureworks attributed the attempted intrusions to a threat actor it tracks as Bronze President, and by the wider cybersecurity community under the monikers Mustang Panda, TA416, HoneyMyte, RedDelta, and PKPLUG. "The war in Ukraine has prompted many countries to deploy their cyber capabilities to gain insight about global events, political machinations, and motivations," the cybersecurity firm  said  in a report shared with The Hacker News. "This desire for situational awareness often extends to collecting intelligence from allies and 'friends.'" Bronze President, active since at least July 2018, has a history of conducting espionage operations by leveraging custom and publicly available tools to compromise, maintain long-term access,

Experts Warn of Hacking Group Targeting Aviation and Defense Sectors

Experts Warn of Hacking Group Targeting Aviation and Defense Sectors
February 15, 2022Ravie Lakshmanan
Entities in the aviation, aerospace, transportation, manufacturing, and defense industries have been targeted by a persistent threat group since at least 2017 as part of a string of spear-phishing campaigns mounted to deliver a variety of remote access trojans (RATs) on compromised systems. The use of commodity malware such as AsyncRAT and NetWire, among others, has led enterprise security firm Proofpoint to a "cybercriminal threat actor" codenamed TA2541 that employs "broad targeting with high volume messages." The ultimate objective of the intrusions is unknown as yet. Social engineering lures used by the group does not rely on topical themes but rather leverages decoy messages related to  aviation , logistics, transportation, and travel. That said, TA2541 did briefly pivot to  COVID-19-themed lures  in the spring of 2020, distributing emails concerning cargo shipments of personal protective equipment (PPE) or testing kits. "While TA2541 is consistent i

New CapraRAT Android Malware Targets Indian Government and Military Personnel

New CapraRAT Android Malware Targets Indian Government and Military Personnel
February 07, 2022Ravie Lakshmanan
A politically motivated advanced persistent threat (APT) group has expanded its malware arsenal to include a new remote access trojan (RAT) in its espionage attacks aimed at Indian military and diplomatic entities. Called  CapraRAT  by Trend Micro, the implant is an Android RAT that exhibits a high "degree of crossover" with another Windows malware known as CrimsonRAT that's associated with Earth Karkaddan, a threat actor that's also tracked under the monikers APT36, Operation C-Major, PROJECTM, Mythic Leopard, and Transparent Tribe. The first concrete signs of APT36's existence  appeared  in  2016  as the group began distributing information-stealing malware through phishing emails with malicious PDF attachments targeting Indian military and government personnel. The group is believed to be of  Pakistani origin  and operational since at least 2013. The threat actor is also known to be consistent in its modus operandi, with the attacks predominantly banking o

North Korean Hackers Return with Stealthier Variant of KONNI RAT Malware

North Korean Hackers Return with Stealthier Variant of KONNI RAT Malware
January 28, 2022Ravie Lakshmanan
A cyberespionage group with ties to North Korea has resurfaced with a stealthier variant of its remote access trojan called Konni to attack political institutions located in Russia and South Korea. "The authors are constantly making code improvements," Malwarebytes researcher Roberto Santos  said . "Their efforts are aimed at breaking the typical flow recorded by sandboxes and making detection harder, especially via regular signatures as critical parts of the executable are now encrypted." Most  recent intrusions  staged by the group, believed to be operating under the Kimsuky umbrella, involved targeting the Russian Federation's Ministry of Foreign Affairs (MID) with New Year lures to compromise Windows systems with malware. The infections, as with other attacks of this kind, starts with a malicious Microsoft Office document that, when opened, initiates a mult-stage process that involves several moving parts that help the attackers elevate privileges, eva

Hackers Use Cloud Services to Distribute Nanocore, Netwire, and AsyncRAT Malware

Hackers Use Cloud Services to Distribute Nanocore, Netwire, and AsyncRAT Malware
January 12, 2022Ravie Lakshmanan
Threat actors are actively incorporating public cloud services from Amazon and Microsoft into their malicious campaigns to deliver commodity remote access trojans (RATs) such as  Nanocore ,  Netwire , and  AsyncRAT  to siphon sensitive information from compromised systems. The spear-phishing attacks, which commenced in October 2021, have primarily targeted entities located in the U.S., Canada, Italy, and Singapore, researchers from Cisco Talos said in a report shared with The Hacker News. Using existing legitimate infrastructure to facilitate intrusions is increasingly becoming part of an attacker's playbook as it obviates the need to host their own servers, not to mention be used as a cloaking mechanism to evade detection by security solutions. In recent months, collaboration and communication tools like  Discord, Slack, and Telegram  have found a place in many an infection chain to  commandeer and exfiltrate data  from the victim machines. Viewed in that light, the abuse of

'Lone Wolf' Hacker Group Targeting Afghanistan and India with Commodity RATs

'Lone Wolf' Hacker Group Targeting Afghanistan and India with Commodity RATs
October 22, 2021Ravie Lakshmanan
A new malware campaign targeting Afghanistan and India is exploiting a now-patched, 20-year-old flaw affecting Microsoft Office to deploy an array of commodity remote access trojans (RATs) that allow the adversary to gain complete control over the compromised endpoints. Cisco Talos attributed the cyber campaign to a "lone wolf" threat actor operating a Lahore-based fake IT company called Bunse Technologies as a front to carry out the malicious activities, while also having a history of sharing content that's in favor of Pakistan and Taliban dating all the way back to 2016. The attacks work by taking advantage of political and government-themed lure domains that host the malware payloads, with the infection chains leveraging weaponized RTF documents and PowerShell scripts that distribute malware to victims. Specifically, the laced RTF files were found exploiting  CVE-2017-11882  to execute a PowerShell command that's responsible for deploying additional malware to

Iranian Hackers Abuse Dropbox in Cyberattacks Against Aerospace and Telecom Firms

Iranian Hackers Abuse Dropbox in Cyberattacks Against Aerospace and Telecom Firms
October 06, 2021Ravie Lakshmanan
Details have emerged about a new cyber espionage campaign directed against the aerospace and telecommunications industries, primarily in the Middle East, with the goal of stealing sensitive information about critical assets, organizations' infrastructure, and technology while remaining in the dark and successfully evading security solutions. Boston-based cybersecurity company Cybereason dubbed the attacks " Operation Ghostshell ," pointing out the use of a previously undocumented and stealthy remote access trojan (RAT) called ShellClient that's deployed as the main spy tool of choice. The first sign of the attacks was observed in July 2021 against a handpicked set of victims, indicating a highly targeted approach. "The ShellClient RAT has been under ongoing development since at least 2018, with several iterations that introduced new functionalities, while it evaded antivirus tools and managed to remain undetected and publicly unknown," researchers Tom Fak

A New Wave of Malware Attack Targeting Organizations in South America

A New Wave of Malware Attack Targeting Organizations in South America
September 20, 2021Ravie Lakshmanan
A spam campaign delivering spear-phishing emails aimed at South American organizations has retooled its techniques to include a wide range of commodity remote access trojans (RATs) and geolocation filtering to avoid detection, according to new research. Cybersecurity firm Trend Micro attributed the attacks to an advanced persistent threat (APT) tracked as  APT-C-36  (aka Blind Eagle), a suspected South America espionage group that has been active since at least 2018 and  previously known  for setting its sights on Colombian government institutions and corporations spanning financial, petroleum, and manufacturing sectors. Primarily spread via fraudulent emails by masquerading as Colombian government agencies, such as the National Directorate of Taxes and Customs (DIAN), the infection chain commences when the message recipients open a decoy PDF or Word document that claims to be a seizure order tied to their bank accounts and click on a link that's been generated from a URL short

New Android Malware Uses VNC to Spy and Steal Passwords from Victims

New Android Malware Uses VNC to Spy and Steal Passwords from Victims
July 29, 2021Ravie Lakshmanan
A previously undocumented Android-based remote access trojan (RAT) has been found to use screen recording features to steal sensitive information on the device, including banking credentials, and open the door for on-device fraud. Dubbed "Vultur" due to its use of Virtual Network Computing (VNC)'s remote screen-sharing technology to gain full visibility on targeted users, the mobile malware was distributed via the official Google Play Store and masqueraded as an app named "Protection Guard," attracting over 5,000 installations. Banking and crypto-wallet apps from entities located in Italy, Australia, and Spain were the primary targets. "For the first time we are seeing an Android banking trojan that has screen recording and keylogging as the main strategy to harvest login credentials in an automated and scalable way," researchers from ThreatFabric  said  in a write-up shared with The Hacker News. "The actors chose to steer away from the commo

LodaRAT Windows Malware Now Also Targets Android Devices

LodaRAT Windows Malware Now Also Targets Android Devices
February 10, 2021Ravie Lakshmanan
A previously known Windows remote access Trojan (RAT) with credential-stealing capabilities has now expanded its scope to set its sights on users of Android devices to further the attacker's espionage motives. "The developers of  LodaRAT  have added Android as a targeted platform," Cisco Talos researchers  said  in a Tuesday analysis. "A new iteration of LodaRAT for Windows has been identified with improved sound recording capabilities." Kasablanca, the group behind the malware, is said to have deployed the new RAT in an ongoing hybrid campaign targeting Bangladeshi users, the researchers noted. The reason why Bangladesh-based organizations have been specifically singled out for this campaign remains unclear, as is the identity of the threat actor. First documented in May 2017 by  Proofpoint , Loda is an AutoIt malware typically delivered via phishing lures that's equipped to run a wide range of commands designed to record audio, video, and capture oth

HTTP Status Codes Command This Malware How to Control Hacked Systems

HTTP Status Codes Command This Malware How to Control Hacked Systems
May 15, 2020Ravie Lakshmanan
A new version of COMpfun remote access trojan (RAT) has been discovered in the wild that uses HTTP status codes to control compromised systems targeted in a recent campaign against diplomatic entities in Europe. The cyberespionage malware—traced to Turla APT with "medium-to-low level of confidence" based on the history of compromised victims—spread via an initial dropper that masks itself as a visa application, the Global Research and Analysis Team at Kaspersky discovered. The Turla APT , a Russian-based threat group, has a long history of carrying out espionage and watering hole attacks spanning various sectors, including governments, embassies, military, education, research, and pharmaceutical companies. First documented by G-Data in 2014, COMpfun received a significant upgrade last year (called "Reductor") after Kaspersky found that the malware was used to spy on a victim's browser activity by staging man-in-the-middle ( MitM ) attacks on encrypte

Europol Shuts Down 'Imminent Monitor' RAT Operations With 13 Arrests

Europol Shuts Down 'Imminent Monitor' RAT Operations With 13 Arrests
November 29, 2019Mohit Kumar
In a coordinated International law enforcement operation, Europol today announced to shut down the global organized cybercrime network behind Imminent Monitor RAT , yet another hacking tool that allows cybercriminals to gain complete control over a victim's computer remotely. The operation targeted both buyers and sellers of the IM-RAT (Imminent Monitor Remote Access Trojan), which was sold to more than 14,500 buyers and used against tens of thousands of victims across 124 countries. The infrastructure and front-end sale website of the Imminent Monitor have also been seized as part of this operation, making the Trojan unusable for those who already bought it, as well as unavailable for the new users. Promoted as a legitimate remote administration framework, the hacking tool was widely used to unauthorisedly access targeted users' computers and steal their login credentials for online banking and other financial accounts. According to Europol's press release , aut

New Android Spyware Created by Russian Defense Contractor Found in the Wild

New Android Spyware Created by Russian Defense Contractor Found in the Wild
July 25, 2019Swati Khandelwal
Cybersecurity researchers have uncovered a new piece of mobile surveillance malware believed to be developed by a Russian defense contractor that has been sanctioned for interfering with the 2016 U.S. presidential election. Dubbed Monokle , the mobile remote-access trojan has been actively targeting Android phones since at least March 2016 and is primarily being used in highly targeted attacks on a limited number of people. According to security researchers at Lookout, Monokle possesses a wide range of spying functionalities and uses advanced data exfiltration techniques, even without requiring root access to a targeted device. How Bad is Monokle Surveillance Malware In particular, the malware abuses Android accessibility services to exfiltrate data from a large number of popular third-party applications, including Google Docs, Facebook messenger, Whatsapp, WeChat, and Snapchat, by reading text displayed on a device's screen at any point in time. The malware also extracts

Exclusive: German Police Raid OmniRAT Developer and Seize Digital Assets

Exclusive: German Police Raid OmniRAT Developer and Seize Digital Assets
June 27, 2019Mohit Kumar
The German police yesterday raided the house of the developer of OmniRAT and seized his laptop, computer and mobile phones probably as part of an investigation into a recent cyber attack, a source told The Hacker News. OmniRAT made headlines in November 2015 when its developer launched it as a legitimate remote administration tool for IT experts and companies to manage their devices with explicit permissions. Available between $25 and $100, OmniRAT quickly became one of the most popular remote administration tools, allowing users to monitor Android, Windows, Linux, and Mac devices remotely and access every available information on them. However, just like any other remote administration tool like DroidJack, DarkComet, AndroRAT, and njRAT, some customers of OmniRAT also used the tool for illicit purposes, especially because it was available at a far cheaper price than other RATs in the market. In one such event earlier this year, a group of hackers attempted to target severa

LuminosityLink Hacking Tool Author Gets 30-Months Prison Sentence

LuminosityLink Hacking Tool Author Gets 30-Months Prison Sentence
October 17, 2018Swati Khandelwal
A 21-year-old Kentucky man who previously pleaded guilty to developing, marketing, and selling an infamous remote access trojan (RAT) called LuminosityLink has now been sentenced to 30 months in prison. According to a press release published Monday by U.S. Attorney's Office, Colton Grubbs, who used online moniker 'KFC Watermelon,' was pleaded guilty for three counts--unlawfully accessing computers in furtherance of a criminal act, money laundering, and illegal removal of property to prevent its lawful seizure. First surfaced in April 2015, the  LuminosityLink RAT  (Remote Access Trojan), also known as Luminosity, was a hacking tool that was sold for $40, marketing itself as a legitimate tool for Windows administrators to "manage a large number of computers concurrently." However, in reality, LuminosityLink was designed to be a dangerous, remote access trojan that among other malicious features, allowed Grubbs' customers to: Record the keys that victims

New Malware Family Uses Custom UDP Protocol for C&C Communications

New Malware Family Uses Custom UDP Protocol for C&C Communications
June 26, 2018Wang Wei
Security researchers have uncovered a new highly-targeted cyber espionage campaign, which is believed to be associated with a hacking group behind KHRAT backdoor Trojan and has been targeting organizations in South East Asia. According to researchers from Palo Alto , the hacking group, which they dubbed RANCOR, has been found using two new malware families—PLAINTEE and DDKONG—to target political entities primarily in Singapore and Cambodia. However, in previous years, threat actors behind KHRAT Trojan were allegedly linked to a Chinese cyber espionage group, known as DragonOK. While monitoring the C&C infrastructure associated with KHRAT trojan, researchers identified multiple variants of these two malware families, where PLAINTEE appears to be the latest weapon in the group's arsenal that uses a custom UDP protocol to communicate with its remote command-and-control server. To deliver both PLAINTEE and DDKONG, attackers use spear phishing messages with different inf
Online Courses and Software

Sign up for cybersecurity newsletter and get latest news updates delivered straight to your inbox daily.