New phishing campaigns have been observed delivering remote access Trojans (RATs) such as VCURMS and STRRAT via Java-based malicious downloaders.
“Attackers store malware on public services such as Amazon Web Services (AWS) and GitHub, and use commercial protection programs to avoid detection of the malware,” said Yurren Wan, a researcher at Fortinet FortiGuard Labs.
An unusual aspect of the campaign was VCURMS’ use of the Proton Mail email address (“sacriliage@proton[.]me”) is used to communicate with command and control (C2) servers.
The attack chain begins with a phishing email urging the recipient to click a button to verify payment information, which results in the download of a malicious JAR file (“Payment-Advice.jar”) hosted on AWS.
Executing the JAR file causes two additional JAR files to be retrieved, which are then run separately to launch the two Trojans.
In addition to sending an email containing a “Hey Master, I’m online” message to an attacker-controlled address, VCURMS RAT also periodically checks the mailbox for emails with specific subject lines to extract the commands to be executed from the message body .
This includes using cmd.exe to execute arbitrary commands, collect system information, search and upload files of interest, and download other information stealers and keylogger modules from the same AWS endpoint.
This infostealer is capable of stealing sensitive data, credentials, cookies from applications such as Discord and Steam, as well as autofill data from various web browsers, screenshots, and the hardware and network of a large number of infected hosts Information.
VCURMS is said to be similar to another Java-based information-stealing program codenamed Rude Stealer that emerged late last year. STRRAT, on the other hand, has been spotted in the wild since at least 2020, often distributed as fraudulent JAR files.
“STRRAT is a RAT built using Java that has a wide range of capabilities, such as serving as a keylogger and extracting credentials from browsers and applications,” Wan noted.
The revelation comes as Darktrace revealed a novel phishing campaign that leverages the Dropbox cloud storage service to send automated emails via “no-reply@dropbox”[.]com” to spread fake links that mimic the Microsoft 365 login page.
“The email itself contains a link that leads users to a PDF file hosted on Dropbox that appears to be named after a partner of the organization,” the company said. Suspicious links to domains seen in customer environments, ‘mmv-security'[.]top. ‘”
