Skip to content Skip to footer

Phishing Campaign Distributing RATs via Malicious Java Downloader: What You Need to Know

A recent campaign was discovered to distribute remote access trojans (RATs) such as VCURMS and STRRAT through a malicious Java-based downloader. According to Fortinet FortiGuard Labs researcher Yurren Wan, the attackers stored the on public services like Amazon Services (AWS) and GitHub and used a commercial protector to evade detection.

One unique aspect of this campaign is the use of a Proton Mail email address (“sacriliage@proton[.]me”) for communication with a (C2) server by VCURMS. The attack begins with a email that prompts recipients to click on a button to verify payment information, leading to the download of a malicious JAR file (“Payment-Advice.jar”) hosted on AWS. This JAR file then retrieves two more JAR files executed separately to launch the two trojans.

In addition to sending an email with the message “Hey master, I am online” to the actor-controlled address, VCURMS RAT periodically checks the mailbox for emails with specific subject lines to extract commands from the body of the message. These commands include running arbitrary commands using cmd.exe, gathering system information, searching and uploading files, and downloading additional information stealer and keylogger modules from the same AWS endpoint.

The information stealer can extract sensitive data from apps like Discord and Steam, as well as credentials, cookies, and auto-fill data from various browsers, screenshots, and detailed hardware and network information from the compromised hosts. VCURMS shares similarities with another Java-based infostealer, Rude Stealer, which was first seen in the wild last year. STRRAT, on the other hand, has been detected since at least 2020 and is often distributed in fraudulent JAR files.

STRRAT is a RAT built using Java, with a wide range of capabilities such as keylogging and extracting credentials from browsers and applications,” Wan noted.

This news comes as Darktrace revealed a new campaign that uses automated emails sent from Dropbox via “no-reply@dropbox[.]com” to spread a fake link mimicking the Microsoft 365 login page. The email contains a link to a file hosted on Dropbox, named after an organization partner. However, the file includes a suspicious link to a domain that has never been seen before: “mmv-security[.]top.”

In conclusion, it is essential to stay vigilant against attacks and be cautious when clicking links or downloading files from unknown sources. Strong security measures and regularly updating software can also help protect against these threats. 

Leave a comment

Newsletter Signup
Address

The Grid —
The Matrix Has Me
Big Bear Lake, CA 92315

01010011 01111001 01110011 01110100 01100101 01101101 00100000
01000110 01100001 01101001 01101100 01110101 01110010 01100101

Never send a human to do a machine's jobAgent Smith

Deitasoft © 2024. All Rights Reserved.