Rewterz

Rewterz Threat Alert – Nemty Ransomware May Spread via Compromised RDP Connections

August 27, 2019

Moving Ahead of Single-Step Password Authentication

August 27, 2019

Rewterz Threat Alert – Phishing Campaign Delivers Quasar RAT Payloads via Fake Resumes

Severity

Medium

Analysis Summary

A new phishing campaign uses fake resume attachments designed to deliver Quasar Remote Administration Tool (RAT) malicious payloads onto the Windows computers of unsuspecting targets.

Phishing is used by crooks to trick potential victims using social engineering techniques into handing over sensitive information via fraudulent websites they control or to deliver malicious content via e-mails appearing to be sent by someone they know or by a legitimate organization.

While using fake resumes and various other types of documents is a very common trick abused by cybercriminals operating malspam campaigns, the one targeting Windows users with the Quasar Remote Administration Tool (RAT).

Quasar RAT is a well-known open-source RAT developed using the C# programming language and known to have been used by a wide range of hacking groups including APT33, APT10, Dropping Elephant, Stone Panda, and The Gorgon Group.

Phishing email sample

Delivery and infection process

The malspam campaign detected by Cofense distributes the Quasar RAT payload with the help of a password protected fake resume Microsoft Word document and it also “employs counter-detection measures to reach the end user.” After the potential victims enter the ‘123’ password also included in the phishing message, the fake resume document will ask for macros to be enabled so it can start the infection process as most similar attacks do.

The 'Enable macros' request

Impact

  • Credential theft
  • Exposure of sensitive information

Remediation

  • Always be suspicious about emails sent by unknown senders.
  • Never click on the link/attachments sent by unknown senders.

Reading this advisory was a good start.

Make it a habit.

Rewterz publishes threat advisories ahead of mainstream cybersecurity media, informed by an AI-Native Autonomous SOC that sees regional threat actor activity in real time. Subscribe to receive each new advisory as it publishes, plus a monthly Middle East threat landscape brief drawn from our own SOC telemetry. For teams evaluating their detection coverage, a 30-minute consultation with a senior analyst is also available, at your pace, when you're ready.