"The phishing attack incorporates a number of advanced evasion techniques to gain complete control over compromised systems, siphon sensitive data, and extend its functionality by serving secondary plugins, Fortinet FortiGuard Labs said. "These include the use of an Easy Programming Language ( EPL) to develop a staged payload, concealing malicious operations and disabling security tools to prevent alert triggers, securing command-and-control (C2) communications using mutual TLS (mTLS), supporting various methods for deploying additional payloads, and even installing popular remote access tools," Yurren Wan said."
"Present within the ZIP file is an executable that, in turn, triggers the execution of MostereRAT, which is then used to drop several tools like AnyDesk, TigerVNC, and TightVNC using modules written in EPL. A noteworthy aspect of the malware is its ability to disable Windows security mechanisms and block network traffic associated with a hard-coded list of security programs, thereby allowing it to sidestep detection."
A phishing campaign delivers a banking malware turned remote-access trojan named MostereRAT. The attack uses advanced evasion techniques including staged payloads developed in Easy Programming Language (EPL), disabling of security tools, and mutual TLS (mTLS) for C2 communications. Emails target primarily Japanese users with business-related lures that lead to a booby-trapped Word document embedding a ZIP archive. The ZIP contains an executable that launches MostereRAT, which drops AnyDesk, TigerVNC, and TightVNC using EPL-written modules. The malware disables Windows security mechanisms and blocks network traffic tied to a hard-coded list of security programs via Windows Filtering Platform filters, allowing stealthy persistence and plugin-based feature extension.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]