A brand new phishing marketing campaign has been noticed delivering distant entry trojans (RAT) similar to VCURMS and STRRAT by way of a malicious Java-based downloader.
“The attackers saved malware on public providers like Amazon Net Providers (AWS) and GitHub, using a industrial protector to keep away from detection of the malware,” Fortinet FortiGuard Labs researcher Yurren Wan stated.
An uncommon side of the marketing campaign is VCURMS’ use of a Proton Mail e-mail deal with (“sacriliage@proton[.]me”) for speaking with a command-and-control (C2) server.
The assault chain commences with a phishing e-mail that urges recipients to click on on a button to confirm fee info, ensuing within the obtain of a malicious JAR file (“Cost-Recommendation.jar”) hosted on AWS.
Executing the JAR file results in the retrieval of two extra JAR information, that are then run individually to launch the dual trojans.
Moreover sending an e-mail with the message “Hey grasp, I’m on-line” to the actor-controlled deal with, VCURMS RAT periodically checks the mailbox for emails with particular topic strains to extract the command to be executed from the physique of the missive.
This consists of operating arbitrary instructions utilizing cmd.exe, gathering system info, looking out and importing information of curiosity, and downloading further info stealer and keylogger modules from the identical AWS endpoint.
The data stealer comes fitted with capabilities to siphon delicate knowledge from apps like Discord and Steam, credentials, cookies, and auto-fill knowledge from varied internet browsers, screenshots, and intensive {hardware} and community details about the compromised hosts.
VCURMS is alleged to share similarities with one other Java-based infostealer codenamed Impolite Stealer, which emerged within the wild late final yr. STRRAT, then again, has been detected within the wild since not less than 2020, typically propagated within the type of fraudulent JAR information.
“STRRAT is a RAT constructed utilizing Java, which has a variety of capabilities, similar to serving as a keylogger and extracting credentials from browsers and purposes,” Wan famous.
The disclosure comes as Darktrace revealed a novel phishing marketing campaign that is making the most of automated emails despatched from the Dropbox cloud storage service through “no-reply@dropbox[.]com” to propagate a bogus hyperlink mimicking the Microsoft 365 login web page.
“The e-mail itself contained a hyperlink that may lead a person to a PDF file hosted on Dropbox, that was seemingly named after a associate of the group,” the corporate stated. “the PDF file contained a suspicious hyperlink to a website that had by no means beforehand been seen on the client’s surroundings, ‘mmv-security[.]high.'”
