Tag: RAT

Phishing Campaign Delivers FlawedAmmyy, RMS RATs

A new campaign delivering various remote access Trojans (RATs) is likely the work of a known Dridex/Locky operator, Morphisec security researchers warn. Dubbed Pied Piper, the campaign targets users in multiple countries and is likely operated by TA505, the threat group known to have orchestrated large Dridex and Locky attacks in the past. Observed starting last week, the phishing attempts use documents with malicious macros for malware delivery.

The campaign is multi-staged and still ongoing, with a version delivering the FlawedAmmyy RAT, while another variant dropping the Remote Manipulator (RMS) RAT. Earlier this year, TA505 was observed exploiting an Office zero-day to deliver the FlawedAmmyy RAT.

Read more about the new campaign by TA505 on SecurityWeek.

Hacking group returns, switches attacks from ransomware to trojan malware

A prolific hacking group has returned with a new campaign which looks to deliver a new remote access trojan (RAT) to victims in order to create a backdoor into PCs to steal credentials and banking information.

The campaign is suspected to be the work of TA505, a well-resourced hacking group which has been active since at least 2014. Now TA505 is running a new campaign, which has been detailed by researchers at security company Proofpoint. In line with a change of focus by other cyber criminal groups, TA505 has shifted away from ransomware and banking trojans and now appears to focus on RATs.

Read more about the new campaign by TA505 on ZDNet.

FlawedAmmy: Dangerous RAT enteres most wanted malware list

The latest Check Point Global Threat Index reveals that while cryptomining malware continues to dominate the rankings, a remote access Trojan has reached the top ten’s list for the first time. During the month of October, Check Point researchers discovered a widespread malware campaign spreading a remote access trojan (dubbed “FlawedAmmy”) that allows attackers to take over victims’ computers and data.

Meanwhile, cryptomining malware continues to lead the Index, with Coinhive the most prevalent malware with a global impact of 18%, while Cryptoloot has risen to second on the list impacting 8% of organizations worldwide.

Read more about the latest Check Point index on Help Net Security.

Dyreza Banking Threat Back to Target North America

A spam email campaign that is using a wire transfer lure—“You’ve been sent $35,292!”—is spreading both the Upatre Trojan and the Dyre remote access tool (RAT) malware.

“During the past week, our telemetry showed [that] this threat was predominately seen in North America and attempts to compromise both consumer and enterprise machines,” said Microsoft researcher Patrick Estavillo said, in a notice from the Microsoft Malware Protection Center (MMPC). Upatre typically uses spam email campaigns to spread and then downloads other malware onto the infected PC.

Read more about the Dyreza RAT which is targeting banking customers in North America on Info Security.

Developers of Android RAT DroidJack Traced to India

The creators of the Android remote administration tool (RAT) called DroidJack started off as legitimate application developers, but when they realized that their products were not as successful as they had hoped, they turned to developing a crimeware tool.

Researchers at Symantec have been monitoring the evolution of the threat, which was first released in April 2013 on Google Play as Sandroid, a legitimate application for controlling PCs from an Android smartphone.

In late December 2013, someone announced the availability of SandroRAT on a hacker forum. SandroRAT was advertised as an Android application that could be used to take control of smartphones from a computer. The advertisement contained links to the Sandroid app on Google Play.

SandroRAT was analyzed by researchers at McAfee in August when it had been distributed via spam emails as a Kaspersky mobile security application. At the time, attackers targeted banking users in Poland.

Read more about how the security researchers found DroidJack to be originating from India on Security Week.

16 arrested in European bust over RAT spyware

A European crackdown on the use of spyware has resulted in the arrest of 16 people across seven countries. The arrests, announced by Europol late last week, were made in Estonia, France, Romania, Latvia, Italy, Norway, and United Kingdom, targeting people suspected to have used remote access tools (RATs) for cybercrime.

As Europol noted, while RATs are functionally similar to the remote administration tools used to provide remote support in corporate environments, the key difference is that permission has been granted by the end user. Victims’ PCs typically become infected after clicking on a malicious link purporting to be a video or picture. Well known RATs, such as Blackshades and DarkComet, pose a privacy and security threat to victims, with features that enable the controller to remotely activate the infected PC’s webcam, steal banking credentials, and participate in denial of service attacks.

The UK’s National Crime Agency on Friday announced the arrests of five people accused of using RATs, while another suspect was brought in for questioning.

Read more about the 16 arrests made in Europe on ZDNet.