Fraud Management & Cybercrime , Social Engineering

New RAT Targets Russian Speakers

Malwarebytes Describes Unusual Tactics
New RAT Targets Russian Speakers
The RAT campaign references the disputed Crimean peninsula. (Illustration: Wikipedia)

The Malwarebytes threat intelligence team has discovered a remote access Trojan apparently designed to target Russian speakers that may have combined a social engineering technique with a known exploit to maximize chances of infecting targets.

See Also: Hunting Money Mules with a 360-Degree View of Identities

The RAT is included in a document named Манифест.docx, or Manifest.docx, which downloads and executes two templates. One is macro-enabled, while the other is an html object that contains an Internet Explorer exploit, Malwarebytes says.

"The first template contains a URL to download a remote template that has an embedded full-featured VBA [Visual Basic for Applications] RAT. This RAT has several different capabilities, including downloading, uploading and executing files," the report says.

The VBA RAT collects victim information, identifies the anti-virus product running on a victim’s machine, executes shell codes, deletes files, uploads and downloads files, and reads disk and file systems information.

"The second template is an exploit for CVE-2021-26411, an Internet Explorer memory corruption vulnerability, which executes a shell-code to deploy the same VBA RAT. The VBA RAT is not obfuscated but still uses some interesting techniques for shell-code injection," Malwarebytes reports.

"Remote template injection is a common technique that is usually used by many threat actors. But what makes this attack different is that it loads two remote templates - something we have not seen before. One of the loaded templates, which is a working exploit for CVE-2021-26411, is also a new exploit," Hossein Jazi, author of the Malwarebytes report told Information Security Media Group.

Another novelty is the use of the VBA RAT. Threat actors, says Jazi, usually use maldocs to download a remote template to drop a final RAT, an executable. In this case, however, the final RAT is a VBA RAT that has been embedded within the downloaded remote template, he adds.

The Internet Explorer exploit was previously used by the Lazarus Group.

After loading the remote templates, the malicious document loads a decoy document in Russian, the report says. The decoy document contains a statement from an undisclosed group within Crimea that voices opposition to Russia and Russian President Vladimir Putin’s policies regarding that peninsula, it says.

"The decoy document contains a manifesto that shows a possible motive - Crimea - and target - Russian and pro-Russian individuals - behind this attack. However, it could also have been used as a false flag," the report adds.

The Malwarebytes team, however, could not determine the threat actors responsible based on the techniques alone.

About the Author

Rashmi Ramesh

Rashmi Ramesh

Assistant Editor, Global News Desk, ISMG

Ramesh has seven years of experience writing and editing stories on finance, enterprise and consumer technology, and diversity and inclusion. She has previously worked at formerly News Corp-owned TechCircle, business daily The Economic Times and The New Indian Express.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.