A new phishing campaign has been observed delivering remote access trojans (RAT) such as VCURMS and STRRAT by means of a malicious Java-based downloader.
“The attackers stored malware on public services like Amazon Web Services (AWS) and GitHub, employing a commercial protector to avoid detection of the malware,” Fortinet FortiGuard Labs researcher Yurren Wan said.
The attack chain commences with a phishing email that urges recipients to click on a button to verify payment information, resulting in the download of a malicious JAR file (“Payment-Advice.jar”) hosted on AWS.
Executing the JAR file leads to the retrieval of two more JAR files, which are then run separately to launch the twin trojans.
VCURMS is said to share similarities with another Java-based infostealer codenamed Rude Stealer, which emerged in the wild late last year. STRRAT, on the other hand, has been detected in the wild since at least 2020, often propagated in the form of fraudulent JAR files.
“STRRAT is a RAT built using Java, which has a wide range of capabilities, such as serving as a keylogger and extracting credentials from browsers and applications,” Wan noted.
The disclosure comes as Darktrace revealed a novel phishing campaign that’s taking advantage of automated emails sent from the Dropbox cloud storage service via “no-reply@dropbox[.]com” to propagate a bogus link mimicking the Microsoft 365 login page.
“The email itself contained a link that would lead a user to a PDF file hosted on Dropbox, that was seemingly named after a partner of the organization,” the company said. “the PDF file contained a suspicious link to a domain that had never previously been seen on the customer’s environment, ‘mmv-security[.]top.'”
Source: https://thehackernews.com/
