NEWS

A recent phishing scheme has been detected deploying remote access trojans (RATs) like VCURMS and STRRAT using a malicious Java-based downloader.

According to researcher Yurren Wan, the attackers utilized public platforms such as Amazon Web Services (AWS) and GitHub to store malware, employing a commercial protector to evade detection.

An interesting aspect of this campaign is VCURMS’ use of a Proton Mail address (“sacriliage@proton[.]me”) to communicate with a command-and-control (C2) server. The attack starts with a phishing email prompting recipients to click on a button to confirm payment details, leading to the download of a malicious JAR file (“Payment-Advice.jar”) hosted on AWS. Executing this file results in fetching two more JAR files, which then deploy the twin trojans.

VCURMS RAT sends periodic emails to the actor-controlled address with the message “Hey master, I am online” and checks the mailbox for specific subject lines to extract commands for execution. These commands include running arbitrary commands using cmd.exe, gathering system information, searching and uploading files, and downloading additional modules from the same AWS endpoint. The information stealer module can extract data from various applications like Discord and Steam, browser credentials, cookies, screenshots, and extensive hardware and network information.

VCURMS shows similarities to another Java-based infostealer named Rude Stealer, while STRRAT, detected since at least 2020, is known for its capabilities like keylogging and credential extraction from browsers and applications.

In a separate incident, Darktrace revealed a new phishing campaign exploiting automated emails from Dropbox, sent via “no-reply@dropbox[.]com,” leading to a fake Microsoft 365 login page. The email contains a link to a PDF file hosted on Dropbox, apparently named after a partner of the organization, which in turn contains a suspicious link to a domain, “mmv-security[.]top,” previously unseen in the customer’s environment.