Skip links

Watch out for phishing emails that inject spyware trio

An emailed report seemingly about a payment will, when opened in Excel on a Windows system, attempt to inject three pieces of file-less malware that steal sensitive information.

Researchers with Fortinet’s FortiGuard Labs threat intelligence unit have been tracking this mailspam campaign since May, outlining how three remote access trojans (RATs) are fired into the system once the attached file is opened in Excel. From there, the malicious code will not only steal information, but can also remotely control aspects of the PC.

The first of the three pieces of malware is AveMariaRAT (also known as Warzone RAT), followed by Pandora hVCN RAT and BitRAT.

AveMariaRAT has a range of features, from stealing sensitive data to achieving privilege escalation, remote desktop control, and camera capturing. It has a keylogger, and it looks through the PC for passwords to steal from web browsers, email clients, and more.

Next up is Pandora hVNC RAT, “which is a commercial software … developed using C#, a Microsoft .Net framework,” FortiGuard Labs analyst Xiaopeng Zhang detailed in a write up.

“It supports features to steal credentials from some popular applications, like Chrome, Microsoft Edge, Firefox, Outlook, Foxmail, and so on. It also supports control commands to control the victim’s device, such as starting a process, capturing the screenshot, manipulating the victim’s mouse and keyboard, and more.”

Then comes BitRAT, which has lots of commands for remotely controlling the victim’s device.

The malware “is said to be a high quality and efficient RAT,” according to Zhang. “It provides information collection like clipboard logger, keylogger, application credentials, Webcam logging, and Voice Recording. It has wide control commands for controlling the victim’s device, including downloading and executing a file, performing remote desktop control, controlling processes and services, reverse socks, and more.”

BitRAT is popular among threat actors because of its versatility and low cost – $20 for lifetime access, according to cybersecurity vendor Bitdefender. In March, it was tied to a campaign that targeted people trying to use pirated versions of Windows. The malware’s payload was delivered as a Windows 10 Pro operating system license activator and was promoted on webhards – online storage services used widely in South Korea.

The fact that attackers can use BitRAT in multiple operations – in phishing campaigns as well as trojanized software and watering hole attacks – means it should be on network defenders’ radars.

In the phishing campaign uncovered by Fortinet, an email arrives with an Excel file that contains malicious macros. The entire process relies on the mark opening the file, ignoring Microsoft’s warnings, and enabling the execution of macros – a bit of basic infosec hygiene on which every employee should be trained.

Phishing has been a preferred method for threat groups to get their malware into corporate networks, and only increased since the COVID-19 pandemic sent most employees home to work, outside the corporate network. According to Verizon, there were 11 percent more phishing attacks in 2021 than the year before, and email security firm Tessian argued that phishing is the second most expensive cause of all data breaches in a report. ®