A discovery by FortiGuard Labs has uncovered a phishing campaign distributing VCURMS and STRRAT remote access trojans. By enticing targets to download a malicious Java downloader, threat actors deliver malware. This malware is stored on public services and distributed through emails.

Security leader Jason Soroko, Senior Vice President of Product at Sectigo, adds:

“Malware writers are taking advantage of cloud resources, a trend that shouldn’t be ignored. RAT malware typically includes keyloggers, as seen in the new VCURMS and STRRAT variants. This underscores the need for stronger authentication methods beyond just usernames and passwords.


 

Darren Guccione, CEO and Co-Founder at Keeper Security, highlights:

"Phishing tactics are evolving rapidly, with bad actors employing increasingly sophisticated methods. From realistic email templates to deceptive websites, cybercriminals are adept at tailoring phishing scams to deceive their targets. In this particular campaign, malicious actors exploit trusted cloud infrastructure and GitHub repositories to disseminate malware, utilizing multiple malicious programs and sophisticated obfuscation techniques.

"It's imperative for organizations to provide ongoing training for employees to identify and thwart potential phishing and social-engineering attacks. Users serve as the last line of defense, underscoring the importance of educating them on recognizing these attack vectors to safeguard themselves and their organizations.

Adam Neel, Threat Detection Engineer at Critical Start, explains:

 
The propagation of the new VCURMS and STRRAT remote access trojans occurs through a conventional phishing attack, typically involving an email with an ostensibly important attachment. Upon execution of the attachment, it initiates the download of the attacker's JAR files from their Amazon Web Services (AWS) instance, thereby initiating the attack.

AWS serves as a favored platform for malicious actors to host their malware, owing to its user-friendly interface and the protections afforded to attackers until their activities are detected and reported. Similarly, GitHub is a popular choice for hosting malware due to similar advantages. These services enable attackers to evade detection by delaying the deployment of their malware and tools until they have already established a foothold on a system. Frequently, scripts are employed to retrieve their tools from these cloud services.

Interestingly, one of the RATs installed during this attack (Windows.jar) establishes its command and control (C2) through email, a tactic that is not commonly observed. Once operational, attackers gain the capability to dispatch emails that are intercepted by the malware and converted into various commands. These commands include setting up a shell on the system, enabling attackers to execute commands remotely, or retrieving logs from various infostealer and keylogger tools and transmitting them back as attachments. It is crucial to remain vigilant for any unusual email traffic emanating from the device.


Despite this attack employing uncommon obfuscation techniques and methods to evade detection, users can effectively protect themselves by refraining from downloading and executing the attachment in the phishing email. Adhering to security best practices and exercising caution when interacting with emails remains paramount.

Claude Mandy, Chief Evangelist, Data Security at Symmetry Systems, emphasizes:

 
Cybercriminals have long relied on commercial infrastructure and capabilities to 'live off the land,' a strategy enabling them to effectively bypass signature and reputation-based security measures and leverage 'trusted' services to deliver payloads.


The challenge for organizations utilizing AWS and other cloud services lies in their lack of visibility into their own cloud accounts and services. Often, these organizations perceive these accounts as another unknown but implicitly trusted entity within AWS. Until organizations gain comprehensive visibility and understanding of their cloud usage, they must continue to ensure that their security measures accurately identify and mitigate these new variants.