A discovery by FortiGuard Labs has revealed a phishing campaign that spreads VCURMS and STRRAT remote access trojans. By encouraging targets to download a malicious Java downloader, threat actors are able to deliver malware. Malicious actors store the malware on public services and utilize emails to direct the campaign.
Security leaders weigh in
Jason Soroko, Senior Vice President of Product at Sectigo:
“Malware writers are benefiting from the cloud and that shouldn’t surprise anyone. RAT malware typically harvests whatever it can, and the new VCURMS and STRRAT remote access trojans seems to have one or more keyloggers. This technique has been around for quite some time and is yet another example of why stronger authentication methods than simply a username and password are necessary.”
Darren Guccione, CEO and Co-Founder at Keeper Security:
“Phishing is becoming increasingly sophisticated. Bad actors at all levels are tailoring phishing scams using aesthetic-based tactics such as realistic-looking email templates and malicious websites to lure in their victims. In this campaign, the cybercriminals are exploiting trusted cloud infrastructure and GitHub repositories to launch their malware– deploying several malicious programs and using layered obfuscation techniques.
“It is important for organizations to consistently train their employees to recognize potential phishing and social-engineering attacks. Users are the last line of defense, and it is important that they are educated about recognizing these attack vectors to protect themselves and their organizations.”
Adam Neel, Threat Detection Engineer at Critical Start:
“The new VCURMS and STRRAT remote access trojans are being spread through a typical phishing attack masquerading as an email with an important attachment. When the attachment is executed it will download the attacker's JAR files from their Amazon Web Services (AWS) instance, beginning the attack.
“AWS is a popular choice for malicious actors to host their malware due to its ease of use and protections attackers receive until they are discovered and reported. GitHub is also a popular choice to host malware for similar reasons. These services allow attackers to avoid detection by waiting until they already have a foothold on a system to deploy their malware and tools. Scripts are commonly used to pull their tools from these cloud services.
“Interestingly, one of the RATs installed during this attack (Windows.jar) sets up its command and control through email. This tactic is not commonly seen. Once ready, attackers are able to send emails that are parsed by the malware and turned into various commands. Some examples of commands that can be sent through this email C2 are setting up a shell on the system that allows attackers to execute commands, or downloading logs from the various infostealer and keylogger tools then sending them back as an attachment. It will be important to look out for any unexpected email traffic leaving the device.
“Even though this attack utilizes some uncommon techniques for obfuscation and defense evasion, it is important to note that users will remain safe as long as they do not download and execute the attachment in the phishing email. As always, it is imperative to exercise caution and use security best practices when browsing emails.”
Claude Mandy, Chief Evangelist, Data Security at Symmetry Systems:
“Cybercriminals have been using commercial infrastructure and capabilities for many years to “live off the land”. This approach allows attackers to successfully circumvent signature and reputation based security tools and leverage “trusted” services to deliver payloads.
“The challenge for organizations who use AWS and other cloud services is that they often don’t know what cloud account or services they own or use themselves in the cloud, and simply see this as another unknown but implicitly trusted account within AWS. Until orgs can get this visibility and knowledge of their own usage, they will need to continue to verify their protections accurately identified these new variants.”