RuRAT Malware Used in Spear-phishing Attacks Against US media Organizations

Description

FortiGuard Labs is aware of a report that RuRAT malware was distributed in the recent spear-phishing attack against media organizations in the United States. While the tactic used in this attack is not sophisticated, the installed RuRAT malware provides the attacker a foothold into the victim's network where confidential information will be collected for further activities.

Why is this Significant?

This is significant because media organizations in the United States are reported to have been targeted in the spear-phishing attack. RuRAT payload provides the attacker an opportunity to collect confidential information from the compromised machine and perform lateral movement in the victim's network. Not connected in any way to this attack, TV broadcasters in South Korea were affected by a wiper malware served through a malicious backdoor program in 2013 in which their operations were significantly disrupted.

How does the Attack Work?

According to the report by Cluster25, the victims received an email with a link. The email has the following content:

"Hello, we are a group of venture capitalists investing in promising projects. We saw your website and were astounded by your product. We want to discuss the opportunity to invest or buy a part of the share in your project. Please get in touch with us by phone or in Vuxner chat. Your agent is Philip Bennett. His username in Vuxner is philipbennett Make sure you contact us ASAP because we are not usually so generous with our offers. Thank you in advance!"

Upon clicking the link, the victim is redirected to a Web page where the victim is instructed to click a link to download and install a software Vuxner chat. The downloaded file is an installer for Vuxner Trillian not Vuxner chat. After the victim completes the installation and exits the installer, another remote file, turns out to be an installer for RuRAT, is downloaded and installed onto the victim's machine.

What is RuRAT?

RuRAT, the first report of which goes back to at least October 2020, is a Remote Access Trojan (RAT) that provides an attacker a remote access to the compromised machine. Functionalities of RuRAT include:

- Listening for incoming communications

- Taking screenshots

- Keylogging

- Recording Audio

What is the Status of Coverage?

FortiGuard Labs provides the following AV coverage for files involved in this attack:

W32/IndigoRose.AP!tr.dldr

W32/RemoteUtilities.W!tr

W32/Agent.9EE5!tr

All network IOCs are blocked by the WebFiltering client.

Appendix

RuRAT Used In Spear-Phishing Attacks Against Media Organizations In United States (Cluster25)