MULTI#STORM Campaign Targets India and US with Remote Access Trojan
New phishing campaign password MULTI#STORM has set its sights on India and the US by leveraging JavaScript files to deliver remote access trojans on compromised systems.
“Chain attacks end with the victim’s machine infected with unique examples of malware RATs (remote access trojans), such as the Warzone RAT and Quasar RAT,” Securonix researchers Den Iuzvyk, Tim Peck, and Oleg Kolesnikov said.
“Both are used for command-and-control during various stages of the infection chain.”
A multi-stage attack chain begins when the recipient of the email clicks an embedded link pointing to a password-protected ZIP file (“REQUEST.zip”) hosted on Microsoft OneDrive with the password “12345.”
Extracting the archive file reveals a heavily obfuscated JavaScript file (“REQUEST.js”) which, when double-clicked, activates the infection by executing the two PowerShell commands responsible for fetching two separate payloads from OneDrive and running them.
The first of the two files is a decoy PDF document that is displayed to the victim while the second, a Python-based executable, runs silently in the background.
The binary acts as a dropper to extract and execute the main payload packaged within it in the form of a Base64 encoded string (“Storm.exe”), but not before setting up persistence via modification of the Windows Registry.
Also decoded by the binary is a second ZIP file (“files.zip”) which contains four different files, each designed to bypass User Account Control (UAC) and elevate privileges by creating a trusted dummy directory.
Among the files is a batch file (“check.bat”) which according to Securonix has some similarities to another loader called DBatLoader although there are differences in the programming language used.
The second file named “KDECO.bat” executes a PowerShell command to instruct Microsoft Defender to add antivirus exclusion rules to go through the “C:\Users” directory.
🔐 Mastering API Security: Understanding Your True Attack Surface
Discover untapped vulnerabilities in your API ecosystem and take proactive steps towards tight security. Join our insightful webinar!
The attack culminated with the deployment of Warzone RAT (aka Ave Maria), ready-to-use malware available for sale for $38 per month and which comes with a comprehensive list of features for collecting sensitive data and downloading additional malware such as Quasar RAT .
“It’s important to remain extra vigilant when it comes to phishing emails, especially when a sense of urgency is emphasized,” the researchers said.
“These special lures are generally unremarkable in that they require the user to execute a JavaScript file directly. Shortcut files, or files that use multiple extensions will likely have a higher success rate.”
