Malware News Spam Wave Delivers New Ozone RAT

Exterminator

Exterminator

Level 85
Thread author
Verified
Top Poster
Well-known
Oct 23, 2012
12,527
A recent spam campaign is targeting German-speaking users, spreading malicious Office documents that end up installing a rogue certificate and a copy of the Ozone RAT (Remote Access Trojan).

What's different about this spam campaign is that it doesn't deliver macro-laced Office documents like most spam these days, but uses an older technique not seen for some time.

Instead of asking users to turn on macros support in their Office applications, users are asked to double-click on a thumbnail image, which loads and executes malicious JavaScript.

Using JavaScript to download PAC files, rogue certificates, and RATs
This JavaScript file installs a local PAC (Proxy Auto-Config) file that hijack's the user's local Internet connection proxy settings and then downloads a rogue Comodo certificate, which it will use for MitM attacks, later on, to disguise and sign malicious traffic.

Crooks also use another non-standard technique by downloading the malicious PAC file from a Tor URL via a Tor2Web proxy service like onion.to.

The last thing the JavaScript rogue script downloads is a copy of the Ozone RAT, which first appeared over a year ago and is currently sold online for $20 (standard package) or $50 (platinum package).

Ozone RAT helps crooks connect to their targets
Crooks install the Ozone RAT on the user's device so they could connect to the local copy and take over his workstation in search of valuable information.

According to Ozone's website, which claims to offer a "legal" remote control product, Ozone comes with a keylogger, a password dumper, a hidden startup routine, the ability to hide its process, the ability to download and execute other files, and a remote desktop feature.

Ozone also comes with its own file manager, a process manager, an application manager, a boot persistence feature, and the ability to access the remote PC's webcam.

The not-so-legal RAT
All "legal" features, which coincidentally are also the features you'll find in spyware programs. But hey, who are we to judge!

"With RAT applications like Ozone, one does not need to be an expert to create and distribute malware," Fortinet's Floser Bacurio Jr. and Joie Salvio note. "Anyone can buy Ozone from their websites, or simply download 'modified' versions."

"Just a few words of caution, though," the two researchers warn. "This can be a cunning ordeal. These 'modified' versions may be the malware themselves. With a lack of understanding how malware schemes work, even before starting your first attack, you may inadvertently become one of the first victims," the two researchers say, referring to modified Ozone RATs that come with a keylogger to spy on the people wanting to deploy the malware.

UPDATE: The new "double-click thumb image to execute malicious JS" has caught the eye of Microsoft's security team as well, who also put out a report just hours after Fortinet's discovery
Click to expand...
 
  • Like
Reactions: LASER_oneXM, Lucent Warrior, harlan4096 and 7 others
H

hjlbx

Same thing over and over... disable Windows Scripting Host (wscript.exe), Windows Scripting Host command line utility (cscript.exe), powershell.exe, powershell_ise.exe, other interpreters shipped with Windows.

These are not needed on a day-to-day basis.

This is not difficult...
 
  • Like
Reactions: Der.Reisende, XhenEd, shmu26 and 2 others
_CyberGhosT_

_CyberGhosT_

Level 53
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Aug 2, 2015
4,286
I have done these and a few more over time using Process Lasso.
When I went to Signature-less security solutions I started tweaking
Windows for better security, as it stands now no av on the planet
could lock mine down like I have it now. Great suggestions @hjlbx
 
  • Like
Reactions: Der.Reisende, frogboy, shmu26 and 1 other person
You must log in or register to reply here.

Similar threads

Bot
    • Like
    • +Reputation
Security News New Phishing Attack Uses Clever Microsoft Office Trick to Deploy NetSupport RAT
Replies
0
Views
1,121
Security News
Bot
Bot
silversurfer
    • Like
Quasar RAT Leverages DLL Side-Loading to Fly Under the Radar
Replies
0
Views
840
News Archive
silversurfer
silversurfer
Gandalf_The_Grey
    • Like
    • +Reputation
Malware News Ratel RAT targets outdated Android phones in ransomware attacks
Replies
0
Views
2,119
Security News
Gandalf_The_Grey
Gandalf_The_Grey

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top