Sunday, July 14, 2024

New Malware Attack Drops Double Remote Access Trojan in Windows to Steal Chrome, Firefox Browsers Data

Researchers discovered a new malware campaign that drops two different Remote Access Trojan(RAT) on targeted Windows systems and steal sensitive information from popular browsers such as Chrome and Firefox.

The samples that uncovered by Fortinet researchers drop the RevengeRAT and WSHRAT malware and it has various obfuscation functionalities that use the various stage to maintain the persistence.

RAR’s Infection Process


The RAT has infected the victims by utilizing the different stages. When opening the malicious sample file, it contained JavaScript code in a text editor with encoded data. Once decoded its drops the VBScript code is responsible for drop the next stage of malware.

The dropper then later download the second stage of malicious downloader( “A6p.vbs” file) from the external website which also contains an obfuscated strings to avoid detection.

If the downloader script will be successfully executed then it establishes a connection with command and control server to download the script file “Microsoft.vbs”.and it saved as “MICROSOFT.VBS” in the %TEMP% folder.

Remote Access Trojan

According to Fortinet research “The script properly invokes a number of composed PowerShell commands to bypass the interpreter’s execution policy and to hide its presence, thereby bypassing the “-ExecutionPolicy Bypass -windowstyle hidden -noexit -Command” parameters”

Once the RAT successfully deployed, it connects to two C&C servers. But the two C&C servers had been shut down during the analysis. So researchers decided to set up a fake C2 server to analyze the sample.

Once the connection to the C&C server is established, it collects information from the victim’s system that will be sent to its server.


The infection chain with this WSH RAT used the same code from MICROSOFT.VBS in the GXxdZDvzyH.vbs script. But the payload in complete different that encoded in base-64.

Researcher digging deep and analyzed the code and confirms that it has 29 functions to perform different tasks including entrenchment, persistency, and data processing to stealing and exfiltration.

Also, WSH RAT make use of a total of 26 commands of following

“disconnect”, “reboot”, “shutdown”, “execute”, “install-sdk”, “get-pass”, “get-pass-offline”, “update”, “uninstall”, “up-n-exec”, “bring-log”, “down-n-exec”, “filemanager”, “rdp”, “keylogger”, “offline-keylogger”, “browse-logs”, “cmd-shell”, “get-processes”, “disable-uac”, “check-eligible”, “force-eligible”, “elevate”, “if-elevate”, “kill-process”, and “sleep”.

WSH RAT’s main focus is to steal the data popular browser such as Chrome and Mozilla Firefox including FoxMail software.

“The script generates a properly formatted HTTP request that contains information related to the infected computer, and uses the “User-Agent:” header as a mechanism to exfiltrate it,” Fortinet said.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.


Latest articles

mSpy Data Breach: Millions of Customers’ Data Exposed

mSpy, a widely used phone spyware application, has suffered a significant data breach, exposing...

Advance Auto Parts Cyber Attack: Over 2 Million Users Data Exposed

RALEIGH, NC—Advance Stores Company, Incorporated, a prominent commercial entity in the automotive industry, has...

Hackers Using ClickFix Social Engineering Tactics to Deploy Malware

Cybersecurity researchers at McAfee Labs have uncovered a sophisticated new method of malware delivery,...

Coyote Banking Trojan Attacking Windows Users To Steal Login Details

Hackers use Banking Trojans to steal sensitive financial information. These Trojans can also intercept...

Hackers Created 700+ Fake Domains to Sell Olympic Games Tickets

As the world eagerly anticipates the Olympic Games Paris 2024, a cybersecurity threat has...

Japanese Space Agency Spotted zero-day via Microsoft 365 Services

The Japan Aerospace Exploration Agency (JAXA) has revealed details of a cybersecurity incident that...

Top 10 Active Directory Management Tools – 2024

Active Directory Management Tools are essential for IT administrators to manage and secure Active...
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Free Webinar

Low Rate DDoS Attack

9 of 10 sites on the AppTrana network have faced a DDoS attack in the last 30 days.
Some DDoS attacks could readily be blocked by rate-limiting, IP reputation checks and other basic mitigation methods.
More than 50% of the DDoS attacks are employing botnets to send slow DDoS attacks where millions of IPs are being employed to send one or two requests per minute..
Key takeaways include:

  • The mechanics of a low-DDoS attack
  • Fundamentals of behavioural AI and rate-limiting
  • Surgical mitigation actions to minimize false positives
  • Role of managed services in DDoS monitoring

Related Articles