A recent discovery by the FortiMail Incident Response team has revealed a highly sophisticated email campaign targeting organizations in Spain, Italy, and Portugal.
This attack distributes a potent Remote Access Trojan (RAT) known as RATty, primarily affecting Windows systems, but also posing a threat to Linux and macOS environments where the Java Runtime Environment (JRE) is installed.
The campaign leverages the legitimate Spanish email service provider, serviciodecorreo.es, which is authorized to send emails on behalf of various domains, passing SPF (Sender Policy Framework) checks and bypassing email security filters with alarming ease.
.png
)
This deceptive legitimacy, combined with advanced evasion tactics, enables attackers to deliver malicious payloads that grant them full control over infected systems, including the ability to execute commands, log keystrokes, access files, and even activate webcams or microphones.
Multi-Layered Evasion Tactics and Infection Chain
The infection chain begins with a seemingly innocuous email containing a PDF attachment disguised as an invoice, often bearing urgent language to prompt hasty action from recipients through social engineering.
Upon opening the PDF, users are instructed to download an HTML file named “Fattura” (Italian for “Invoice”) via a Dropbox link.
This file includes a basic “I am not a robot” verification before redirecting to a dynamically generated URL via Ngrok, a tunneling tool used to mask the attack’s origin.
Ngrok’s geo-based cloaking further complicates detection by serving harmless content (e.g., a Google Drive document) to users outside targeted regions like Italy, while delivering a malicious JAR file (FA-43-03-2025.jar) to victims within the specified geolocation.
This JAR file, hosted on legitimate platforms like MediaFire, contains the RATty malware, a Java-based RAT capable of cross-platform exploitation due to Java’s ubiquitous presence.
According to the Report, The campaign’s use of trusted file-sharing services and geo-fencing techniques significantly reduces early detection risks, as security systems and sandboxes often analyze from non-targeted locations, missing the malicious payload.
This multi-layered strategy, coupled with the abuse of legitimate infrastructures, underscores the increasing sophistication of malware distribution methodologies, making traditional security measures less effective against such targeted attacks.
Fortinet’s protective solutions, including FortiMail, FortiGuard services, and FortiSandbox, offer robust defenses by detecting and blocking these threats through antivirus signatures, content disarmament, and real-time anti-phishing capabilities.
Additionally, Fortinet emphasizes the importance of user education through Security Awareness Training (SAT) and phishing simulations to mitigate human error, a critical entry point for such attacks.
Indicators of Compromise (IOCs)
Below are the technical indicators associated with this campaign for reference and mitigation purposes:
| Type | Indicator |
|---|---|
| IP Addresses | 143.47.53.106, 130.51.20.126, 199.232.214.172, 199.232.210.172 |
| Domains | jw8ndw9ev.localto.net, l5ugb6qxh.localto.net |
| SHA256 Hashes | a1c2861a68b2a4d62b6fbfc7534f498cefe5f92f720466d24ae1b66ebc9f5731, d20d14792c91107f53318ff7df83b9cd98acd3c394959a74e72278682822b600, 9184ff2cdd05fcaf111db23123479c845b2ece2fedccc2524b2de592f9980876, 5f897fec78e2fd812eb3bc451222e64480a9d5bc97b746cc0468698a63470880, 6153c80b17cb990caad1d80cac72c867d4ecfa1a84b7ab286b7373cd4168794e, 469b8911fd1ae2ded8532a50e9e66b8d54820c18ccdba49d7a38850d6af54475, af8b6ac45918bc87d2a164fae888dab6e623327cba7c2409e4d0ef1dde8d1793 |
Setting Up SOC Team? – Download Free Ultimate SIEM Pricing Guide (PDF) For Your SOC Team -> Free Download
