Categories: MalwareWhat is

RATicate – Hackers Group Launching an Information Stealing Malware via Remote Admin Tool

Recently, a hackers group, known as RATicate has abused the NSIS (Nullsoft Scriptable Install System) installers to deploy RATs (Remote Access Tools) and information-stealing malware to launch several waves of attacks on industrial companies, stated the security researchers at Sophos.

Due to the deadly COVID-19 pandemic, cyber attackers are constantly targeting the organizations to loot their confidential data for monetary benefits.

As a chain of five separate cyberattack campaigns between November 2019 and January 2020, the hackers’ group RATicate had specifically targetted all the European, the Middle East, and the South Korean industrial companies.

Here the most shocking thing is that the security experts at Sophos have suspected that in the past, this hacker group is also behind other similar campaigns as well.

Moreover, a threat researcher with SophosLabs, Markel Picado, said that “A new campaign we believe connected to the same actors leverages concern about the global COVID-19 pandemic to convince victims to open the payloads.”

Infection in NSIS installer

To deliver the payloads via phishing emails with trivial modifications to fool the targets, the hackers use two infection chains to contaminate the targets’ systems.

The campaign uses the NSIS installer after the target opens the documents attached in those phishing emails sent by the attackers with the common extensions like “.ZIP, .IMG, .UDF, .RTF, and .XLS files.”

Don’t know, what is the NSIS installer? It’s is an open-source tool that is backed by Nullsoft for creating Windows installers, and not only that, it’s the tool that is densely used to cover and deploy malware by hackers.

Hackers use the ZIP, UDF, and IMG malicious attachments in which they hide the malicious NSIS installers in the first infection chain.

Moreover, to download the malicious installers from a remote server into the targets’ systems, the hackers use the XLS and RTF malicious documents in the second infection chain.

Apart from this, the security experts at Sophos has explained that “We considered two possible scenarios: either the malicious NSIS package is a generic packer sold on dark forums; or, the same threat actor is using a custom loader to deploy different payloads in a variety of their attacks.”

To be able to communicate with multiple software components, the NSIS installers use a specialized type of plugin architecture that gives the possibilities to kill processes, execute command line-based programs, loading DLL files, and much more.

Targeting and Motivation

According to the Sophos reports and these campaigns, the security experts have clarified that the intention of the attackers is only to gain full access and control of the systems on the targeted companies’ networks. 

Moreover, from the emails that were sent by these campaigns, the security experts have recognized the targeted victims, and here they are:-

  • An electrical equipment manufacturer in Romania;
  • A Kuwaiti construction services and engineering company;
  • A Korean internet company;
  • A Korean investment firm;
  • A British building supply manufacturer;
  • A Korean medical news publication;
  • A Korean telecommunications and electrical cable manufacturer;
  • A Swiss publishing equipment manufacturer;
  • A Japanese courier and transportation company.

As final payload-all of them InfoStealer or RAT malware, the attackers used five different types of malware families that were discovered by the security firm, Sophos.

  1. ForeIT/Lokibot
  2. BetaBot
  3. Formbook
  4. AgentTesla
  5. Netwire

Even the security experts have also stated that the new wave of attacks of the RATicate group that were detected in March 2020 clearly indicates that to trick the potential victims into installing malware on their systems, they are using next-level tricks and exploits, including the COVID-19 related baits as well.

So, what do you think about this? Simply share all your views and thoughts in the comment section below.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.

Also Read:

Hackers Using InfoStealer Malware that Attacks Windows Servers To Steal Sensitive Data

Hackers Hijack Home Routers & Change The DNS Settings to Implant Infostealer Malware

Hackers Spreading Zeus Sphinx Malware to Hijack Windows Process Using Malformed MS Word Documents

Chinese Hacking group ‘Thrip’ Targets Satellite communications, Telecoms, and Defense Companies

Balaji

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Recent Posts

IBM Workload Scheduler Vulnerability Stores User Credentials in Plain Text

IBM has issued a security bulletin warning customers about a vulnerability in its Workload Scheduler…

3 minutes ago

Multiple Flaws With Android & Google Pixel Devices Let Attackers Elevate Privileges

Several high-severity vulnerabilities have been identified in Android and Google Pixel devices, exposing millions of…

16 minutes ago

Threat Actors Exploit Google Docs And Weebly Services For Malware Attacks

Phishing attackers used Google Docs to deliver malicious links, bypassing security measures and redirecting victims…

16 hours ago

Python NodeStealer: Targeting Facebook Business Accounts to Harvest Login Credentials

The Python-based NodeStealer, a sophisticated info-stealer, has evolved to target new information and employ advanced…

16 hours ago

XSS Vulnerability in Bing.com Let Attackers Send Crafted Malicious Requests

A significant XSS vulnerability was recently uncovered in Microsoft’s Bing.com, potentially allowing attackers to execute…

19 hours ago

Meta Removed 2 Million Account Linked to Malicious Activities

 Meta has announced the removal of over 2 million accounts connected to malicious activities, including…

22 hours ago