Cybersecurity researchers at FortiGuard Labs have uncovered a sophisticated phishing campaign that deploys the MostereRAT remote access trojan to compromise Windows systems.
The malware leverages advanced evasion techniques and installs legitimate remote access tools like AnyDesk and TightVNC to maintain persistent, covert access to infected machines.
The attack begins with carefully crafted phishing emails targeting Japanese users, designed to appear as legitimate business inquiries.
Victims are directed to malicious websites that automatically download a weaponized Word document containing an embedded ZIP archive. The document displays a single instruction in English: “OpenTheDocument,” directing users to extract and execute the contained file.
Although part of the attack flow and its C2 domains were mentioned in a 2020 public report as being associated with a banking trojan.
It contains encrypted components bundled within its resources, including images of famous people used as decoys.
MostereRAT employs CreateSvcRpc, a custom RPC client that communicates directly with the ntsvcs named pipe to interact with Windows Service Control Manager, bypassing standard APIs like OpenSCManager and CreateService.
This technique allows the malware to create services with SYSTEM-level privileges while avoiding detection by security tools that monitor standard service creation methods.
Easy Programming Language Sophistication
A particularly noteworthy aspect of this campaign is its use of Easy Programming Language (EPL), a Simplified-Chinese-based programming language designed for beginners.
Instead of continuing to use Japanese for social engineering, the attackers present a single instruction.
The initial executable, document.exe, is based on the wxWidgets menu sample from GitHub and serves as a deployment tool.
The malware decrypts its payload using a simple SUB operation with the key value ‘A’ and deploys all components to C:ProgramDataWindows.
The malware includes an EPK launcher and malicious EPK files that require the krnln.fnr runtime library for execution.
This approach provides an additional layer of obfuscation, as EPL-based malware is less commonly encountered in the threat landscape.
The EPL-based payload consists of multiple modules, each serving specific functions. Module 1 (maindll.db) handles persistence mechanisms, privilege escalation, security tool interference, and payload updates.
It establishes persistence through scheduled tasks named ‘MicrosoftWindowswinrshost’ and ‘MicrosoftWindowswinresume,’ configured to run automatically under both SYSTEM and Administrator accounts.
FortiGuard’s analysis reveals MostereRAT’s communication protocol uses a magic number 1234567890 followed by packet length and command identifiers.
The malware demonstrates sophisticated privilege escalation capabilities by leveraging the TrustedInstaller account, one of Windows’ most powerful service accounts.
The malware includes an EPK launcher and malicious EPK files that require the krnln.fnr runtime library for execution.
The module is then loaded into memory and its exported function “getVersion” is called.
Using code borrowed from the NSudo project, it duplicates process tokens and launches new instances with full elevated privileges, enabling unrestricted system access.
MostereRAT includes comprehensive lists of security product paths and names, targeting popular solutions including 360 Safe, Kingsoft Antivirus, Tencent PC Manager, Windows Defender, ESET, Avira, Avast, and Malwarebytes.
The malware employs Windows Filtering Platform (WFP) filters to block network traffic from detected security products, preventing them from transmitting detection data, alerts, or telemetry to their servers.
Module 2 (elsedll.db) provides the core remote access functionality, establishing secure communications with command and control servers using mutual TLS (mTLS) authentication.
The malware supports 37 different commands, enabling comprehensive system control including file operations, payload deployment, screen capture, and user enumeration.
The most significant aspect of MostereRAT’s operation is its deployment of legitimate remote access tools.
The malware can install and configure AnyDesk, TightVNC, and RDP Wrapper, providing attackers with multiple avenues for persistent remote access.
These tools are configured to grant exclusive access to the attackers while remaining hidden from legitimate users through registry modifications and window concealment techniques.
MostereRAT represents a significant evolution in remote access trojan capabilities, combining social engineering, advanced evasion techniques, and legitimate tool abuse to achieve persistent system compromise.
Organizations should implement comprehensive security awareness training, maintain updated security solutions, and monitor for unusual remote access tool deployments to defend against such sophisticated threats.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
Source link
