March 13, 2024 at 06:21AM
A recent phishing campaign has been detected distributing remote access trojans (RAT) like VCURMS and STRRAT through a malicious Java-based downloader. The attackers are utilizing public services like AWS and GitHub to store malware and employing a Proton Mail email address for communication with a command-and-control server. The campaign includes a phishing email leading to the download of malicious files, with the trojans having capabilities such as keylogging, data extraction, and command execution. Additionally, there have been reports of a separate phishing campaign exploiting automated emails from Dropbox to spread malicious links. For more exclusive content, follow the company on Twitter and LinkedIn.
From the meeting notes, the key takeaways are:
1. A new phishing campaign has been observed delivering remote access trojans (RAT) such as VCURMS and STRRAT through a malicious Java-based downloader.
2. The attackers stored malware on public services like Amazon Web Services (AWS) and GitHub, using a commercial protector to avoid detection.
3. VCURMS RAT uses a Proton Mail email address (“sacriliage@proton[.]me”) to communicate with a command-and-control (C2) server – an unusual aspect of the campaign.
4. The attack chain begins with a phishing email urging recipients to click on a button to verify payment information, resulting in the download of a malicious JAR file (“Payment-Advice.jar”) hosted on AWS.
5. The VCURMS RAT has the capability to run arbitrary commands, gather system information, search and upload files, and extract sensitive data from various applications and browsers.
6. STRRAT is a RAT built using Java with capabilities such as keylogging and extracting credentials from browsers and applications.
7. Darktrace revealed a separate phishing campaign taking advantage of automated emails sent from Dropbox to propagate a bogus link mimicking the Microsoft 365 login page.
These are the main points distilled from the meeting notes. If you need further elaboration on any of these points, feel free to ask!