- Aug 17, 2014
- Cisco Talos has observed a new malware campaign delivering commodity RATs, including njRAT and AsyncRAT.
- The campaign targets travel and hospitality organizations in Latin America.
- Techniques utilized in this campaign bear a resemblance to those of the Aggah group but are operated by a distinct threat actor based out of Brazil.
- We've also discovered a builder/crypter known as "Crypter 3losh rat" used to generate various stages of the highly modularized infection chain used by the campaign operators.
- We've also seen instances where the crypter author has operated their own malicious campaigns abusing archive[.]org.
WHAT'S NEW?Cisco Talos recently observed a new set of campaigns targeting Latin American countries. These campaigns use a multitude of infection components to deliver two widely popular commodity malware and remote access trojans (RATs): njRAT and AsyncRAT.
We also discovered a .NET-based infection chain builder/crypter binary used to generate the malicious infection artifacts used in recent campaigns, including the ones targeting Latin America. Such builders indicate the author's intent to bundle malware generation functionalities for easy distribution and use by operators, customers and affiliates.
We've also observed some resemblance to the tactics and techniques used by a known crimeware actor "Aggah," especially the final payload delivery stages. Aggah has traditionally utilized highly modular infection chains with a focus on hosting malicious payloads on public repositories such as Pastebin, Web Archive and Blogger.
HOW DID IT WORK?The campaigns targeting Latin American countries consist of macro-enabled Office documents that act as the entry points into the infection. What follows is a modular chain of PowerShell and VB scripts, all working towards disabling anti-virus protection features such as AMSI and eventually delivering the RAT payloads.
We've also observed some Aggah campaigns using similar infection chains including scripts and similar commodity malware. However, unlike Aggah, the operators working the Latin American campaigns tend to use either compromised or attacker-controlled websites to host their components and payloads instead of using public hosting services such as Blogger, Pastebin and Web Archive.
The infection chains used in these campaigns are built using a .NET-based crypter called "3losh crypter rat" [SIC]. This crypter has been actively advertised on social media by the authors and used to generate infection chains for campaigns operated by the crypter's authors themselves.