Rewterz Threat Alert – New Phishing Campaign Propagates STRRAT and VCURMS Malware via GitHub and AWS – Active IOCs

Severity

High

Analysis Summary

Cybersecurity researchers have uncovered a new phishing campaign that is spreading remote access trojans (RATs) like STRRAT and VCURMS using a malicious downloader written in Java. The malware is stored on public services such as GitHub and Amazon Web Services (AWS) to stealthily avoid detection.

The researchers said, “The attacker attempts to use email as its command and control throughout the attack campaign. The receiving endpoint utilizes Proton Mail, which offers email services that include privacy protection.”

The attack chain initiates with a phishing email that tricks the unsuspecting users into clicking on a button to verify payment information, upon which a malicious JAR file named “Payment-Advice.jar” is downloaded from AWS. Once the file is executed, two additional JAR files are fetched to be run separately and launch the two trojans.

VCURMS RAT checks the mailbox occasionally for emails with specific subjects to retrieve the command for execution, as well as sends an email to the actor-controlled address with the message “Hey master, I am online”. Some of the execution commands include running arbitrary commands through cmd.exe, searching for files of interest and uploading them, harvesting system information, and downloading keylogger and information stealer modules from the same AWS endpoint.

The information stealer demonstrates the ability to extract sensitive data from commonly-used apps such as Steam and Discord, cookies, credentials, auto-fill data from several browsers, extensive network and hardware information about the infected devices, and take screenshots.

VCURMS shares similarities with another infostealer made in Java called Rude Stealer, discovered in the wild in 2023. On the other hand, STRRAT emerged on the cyber landscape in 2020 and is usually distributed in the form of malicious JAR files. This RAT is created using Java as well and shows a wide range of capabilities that include keylogging and harvesting credentials from apps and browsers.

The disclosure comes after a new phishing campaign was discovered leveraging automated emails that are sent from the Dropbox cloud storage service to distribute a fraudulent link masquerading as the Microsoft 365 login page. The phishing email contained a link that, when clicked, leads the targeted user to a PDF file hosted on Dropbox, possibly named after a partner of the user’s organization. The PDF file had another suspicious link to a domain never seen before in the customer’s environment.

Impact

• Unauthorized Access
• Credential Theft
• Sensitive Data Theft

Indicators of Compromise

MD5

• 8ec9eb589dc78c7e0ad9c8155027a133
• bcd94e0661cd673bfcb79c368584a881
• 39a6f4c34b2309c2f99f6859ed7dec29

SHA-256

• 97e67ac77d80d26af4897acff2a3f6075e0efe7997a67d8194e799006ed5efc9
• 8d72ca85103f44742d04ebca02bff65788fe6b9fc6f5a411c707580d42bbd249
• 588d6f6feefa6273c87a3f8a15e2089ee3a063d19e6a472ffc0249298a72392d

SHA-1

• f4cc5469b945ce8f4c5d266375c28f97636479ff
• 0707033eecaa1c1b6add2c1e18731b92165954f1
• 2cc7ad706df895cf88048d9303e8b3bcc2e74f1b

Remediation

• Block all threat indicators at your respective controls.
• Search for Indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Never trust or open links and attachments received from unknown sources/senders.
• Implement multi-factor authentication to add an extra layer of security to login processes.
• Regularly monitor network activity for any unusual behavior, as this may indicate that a cyberattack is underway.
• Organizations need to stay vigilant and follow best practices for cybersecurity to protect their systems and data from potential threats. This includes regularly updating software and implementing strong access controls and monitoring tools.
• Develop a comprehensive incident response plan to respond effectively in case of a security breach or data leakage.
• Maintain regular backups of critical data and systems to ensure data recovery in case of a security incident.
• Adhere to security best practices, including the principle of least privilege, and ensure that users and applications have only the necessary permissions.
• Establish a robust patch management process to ensure that security patches are evaluated, tested, and applied promptly.
• Conduct security audits and assessments to evaluate the overall security posture of your systems and networks.
• Implement network segmentation to contain and isolate potential threats to limit their impact on critical systems.