silversurfer
Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Well-known
- Aug 17, 2014
- 10,148
Security researchers from Sophos have identified a hacking group that abused NSIS installers to deploy remote access tools (RATs) and information-stealing malware in attacks targeting industrial companies.
Sophos discovered that RATicate's attacks have been targeting industrial companies from Europe, the Middle East, and the Republic of Korea as part of five separate campaigns between November 2019 and January 2020, although the researchers suspect that they were behind other similar campaigns in the past. [....]
To infect the targets' systems, the attackers used two infection chains, both of them involving the delivery of payloads via phishing emails but with a slight difference in the way they are deployed.
The first infection chain uses ZIP, UDF, and IMG malicious attachments containing the malicious NSIS installers, while the second uses XLS and RTF documents booby-trapped to download the installers from a remote server onto the victims' devices. [....]
RATicate: an attacker’s waves of information-stealing malware
In a series of malspam campaigns dating back to November of 2019, an unidentified group sent out waves of installers that drop remote administration tool (RAT) and information stealing malware on v…
news.sophos.com