A new phishing campaign has been observed distributing remote access trojans (RATs) such as VCURMS and STRRAT via a malicious Java-based downloader.
“Attackers have stored malware on public services such as Amazon Web Services (AWS) and GitHub, employing a commercial protector to avoid detection of the malware,” said Yurren Wan, researcher at Fortinet FortiGuard Labs.
An unusual aspect of the campaign is VCURMS’ use of a Proton Mail email address (“sacriliage@proton[.]me”) to communicate with a command and control (C2) server.
The attack chain begins with a phishing email inviting recipients to click a button to verify payment information, resulting in the download of a malicious JAR file (“Payment-Advice.jar”) hosted on AWS .
Execution of the JAR file leads to the recovery of two more JAR files, which are then executed separately to launch the twin Trojans.
In addition to sending an email with the message “Hey master, I’m online” to the address controlled by the actor, VCURMS RAT periodically checks the inbox for emails with specific subject to extract the command from execute from the body of the letter.
This includes executing arbitrary commands using cmd.exe, collecting system information, searching for and uploading files of interest, and downloading additional information stealing modules and keyloggers from the same AWS endpoint.
The information stealer is equipped with capabilities to steal sensitive data from apps like Discord and Steam, credentials, cookies and autofill data from various web browsers, screenshots, and extensive hardware and network information on compromised hosts.
VCURMS is said to share similarities with another Java-based infostealer, codenamed Rude Stealer, which emerged late last year. STRRAT, on the other hand, has been detected in the wild since at least 2020, often propagated in the form of fraudulent JAR files.
“STRRAT is a RAT built using Java, which has a wide range of capabilities, such as acting as a keylogger and extracting credentials from browsers and applications,” Wan noted.
The disclosure comes as Darktrace revealed a new phishing campaign exploiting automated emails sent by cloud storage service Dropbox via “no-reply@dropbox[.]com” to propagate a fake link that mimics the Microsoft 365 login page.
“The email itself contained a link that took the user to a PDF file hosted on Dropbox, apparently named after a partner of the organization,” the company said. “the PDF file contained a suspicious link to a domain never seen before in the customer’s environment, ‘mmv-security[.]superior.'”