In a recent discovery by FortiGuard Labs, the emergence of MostereRAT marks a significant advancement in the landscape of cyber threats. This sophisticated malware, designed specifically for Windows users, employs stealthy delivery methods and layered evasion tactics, posing a substantial risk to cybersecurity worldwide.
Phishing Campaign and Delivery
The attackers have crafted a clever phishing campaign predominantly targeting users in Japan. The attack begins with phishing emails that lead victims to download a seemingly innocuous Word document. Unbeknownst to the user, this document harbors a hidden archive. Once accessed, it prompts the execution of an embedded file that decrypts and installs itself quietly within the system directory.
Notably, MostereRAT employs Easy Programming Language (EPL) for its coding, enriching its evasion capabilities. It can effectively disable security tools, block antivirus traffic, and communicate securely with its command-and-control server through mutual TLS (mTLS), ensuring the persistence of the threat.
Capabilities and Tactics
The arsenal of MostereRAT is extensive, offering features that allow attackers to monitor and manipulate compromised systems with precision. Beyond basic spying, it can keylog, collect system information, and download or execute various types of payloads, including EXE, DLL, and shellcode. Moreover, it can create hidden administrative accounts and utilize remote access tools like AnyDesk, TightVNC, and RDP Wrapper, thereby maintaining a constant presence on the infiltrated machine.
Security experts have noted that some of the infrastructure supporting MostereRAT is reminiscent of techniques used in a 2020 banking trojan. This linkage suggests an evolution in threat actor methodologies, adapting previous tactics for current exploitations.
Preventative Measures
To combat the threats posed by MostereRAT, analysts advise reinforcing browser security to mitigate the potential of automatic downloads. Ensuring that user privileges are limited can also prevent the malware from escalating privileges to SYSTEM or TrustedInstaller levels, which are critical for maintaining control over the infected system.
Additionally, security professionals emphasize the importance of reducing local administrative privileges and enforcing strict application controls. These measures can significantly diminish the risk of attack surface, thereby mitigating the impact and spread of such malware. As this threat continues to develop, organizations must remain vigilant and proactive in their cybersecurity strategies to safeguard against MostereRAT and similar evolving threats.
