A recent investigation by cybersecurity experts has unveiled a sophisticated phishing campaign that deploys a novel strain of malware known as MostereRAT. This Remote Access Trojan (RAT) specifically targets Microsoft Windows systems, granting attackers extensive control over compromised devices. The analysis conducted by FortiGuard Labs reveals that what distinguishes this campaign is its intricate use of advanced evasion techniques. Uniquely, the malware is crafted in the Easy Programming Language (EPL), a coding language originating from China that is seldom seen in cyberattacks, and it employs a multi-layered approach to obscure its malicious activities.
MostereRAT demonstrates the capability to disable security tools, obstruct antivirus traffic, and establish secure communications with its command-and-control (C2) server through mutual TLS (mTLS).
Attack Chain and Delivery
The attack begins with phishing emails masquerading as legitimate business inquiries, primarily aimed at Japanese users. When a victim clicks on the provided link, a Word document containing a concealed archive is downloaded. This file prompts the user to execute an embedded executable, which subsequently activates the malware.
The executable decrypts its components and installs them within the system directory. To ensure persistence, it creates services that operate under SYSTEM-level privileges, maximizing access. As a final touch, the program presents a deceptive message in Simplified Chinese, suggesting that the file is incompatible, a tactic designed to facilitate further dissemination of the malware.
Read more on phishing campaigns targeting Asian markets: ShadowSilk Campaign Targets Central Asian Governments
Lauren Rucker, a senior cyber threat intelligence analyst at Deepwatch, emphasized the critical role of browser security in defending against such threats. “Given that the initial attack vector involves phishing emails leading to malicious links and downloads, it’s essential to enforce policies that restrict automatic downloads and limit user privileges to prevent escalation to SYSTEM or TrustedInstaller,” she stated.
MostereRAT employs various strategies to undermine security measures. It can disable Windows Update, terminate antivirus processes, and obstruct security tools from communicating with their respective servers. Additionally, the malware escalates privileges by impersonating the TrustedInstaller account, one of the most powerful accounts on Windows systems.
James Maude, field CTO at BeyondTrust, noted, “While this malware utilizes creative techniques to evade detection by chaining together novel scripting languages with trusted remote access tools, it still adheres to a common pattern of exploiting overprivileged users and endpoints lacking application control.”
Capabilities and Remote Access Tools
Once firmly established, MostereRAT boasts a comprehensive range of functionalities, including:
- Keylogging and system information collection
- Downloading and executing payloads in EXE, DLL, EPK, or shellcode formats
- Creating hidden administrator accounts for persistent access
- Running remote access tools such as AnyDesk, TightVNC, and RDP Wrapper
FortiGuard Labs has identified that certain components of the malware’s infrastructure were previously associated with a banking trojan reported in 2020. The evolution into MostereRAT underscores the ongoing refinement of techniques employed by threat actors to circumvent modern detection systems.
Maude reiterated the importance of minimizing privileges and controlling applications, stating, “By removing local administrator privileges, you significantly reduce the attack surface and limit the potential impact of a malware infection.”
