A recent phishing campaign has come to light, actively distributing remote access trojans (RATs) dubbed VCURMS and STRRAT through a malicious Java-based downloader. This attempt highlights a troubling trend in cybercrime, where attackers strategically utilize accessible cloud platforms, such as Amazon Web Services and GitHub, to host malicious content while employing commercial protections to elude detection. Yurren Wan, a researcher at Fortinet’s FortiGuard Labs, emphasized the sophistication of these tactics, noting how the malware is concealed within reputable public services.
An unusual feature of this phishing operation is the usage of a Proton Mail address for communications with its command-and-control server. The attack begins with a phishing email prompting recipients to click a button for payment verification, which results in the download of a harmful JAR file, specifically labeled “Payment-Advice.jar,” from AWS. Upon execution, this JAR file facilitates the download and operation of additional JAR files, subsequently launching both trojans.
Once activated, the VCURMS RAT sends a message stating “Hey master, I am online” to the cybercriminal-controlled address and routinely checks the mailbox for emails containing specific subject lines. This leads to commands extracted from the email body for execution, enabling functions such as running arbitrary commands via cmd.exe, collecting system data, and searching for and uploading files considered valuable. Furthermore, it demonstrates the capability to download supplementary information-stealing and keylogging modules from the same AWS source.
The information stealer is particularly noteworthy, equipped to gather sensitive data from applications like Discord and Steam, along with login credentials, browser cookies, and auto-fill data. It can also capture screenshots and comprehensive hardware and network information from the compromised systems. Notably, VCURMS shares characteristics with another Java-based infostealer known as Rude Stealer, which surfaced last year, while STRRAT has been a known entity in the wild since 2020, typically propagated through deceptive JAR files.
The findings also coincide with Darktrace’s announcement regarding a new phishing scheme exploiting automated emails linked to Dropbox. These messages, originating from “no-reply@dropbox[.]com,” contain misleading links that direct users to a PDF file hosted on Dropbox, which appears to carry the name of a legitimate organizational partner. Research from Darktrace reveals that the PDF includes a suspicious link to a previously unseen domain within the customer’s environment, ‘mmv-security[.]top.’
In terms of potential tactics and techniques, this attack exemplifies the initial access method outlined in the MITRE ATT&CK framework—specifically, exploiting phishing as a means to infiltrate systems. Subsequent actions likely involve persistence through server command exchanges and privilege escalation by executing arbitrary commands. The capabilities showcased by both RATs illustrate a concerning escalation in the cybersecurity threat landscape, making awareness and defensive strategies increasingly crucial for businesses today.
