BitRAT Distributed by Phishing Emails Disguised as RFQ Notices
Phishers are using Request For Quote (RFQ)-themed emails to infect users with BitRAT.
A 7zip Archive Awaits鈥
Near the end of June, the 秋葵视频色 | AppRiver team flagged an email that appeared to have originated from a California lifestyle brand company.
The attack email used branding stolen from the company to add a sense of legitimacy. It also used a signature block to create the impression that a procurement manager named Noman Hamza at the company had sent out the RFQ.
Searching 鈥淣oman Hamza鈥 in association with the garment company uncovered no results.
Not only that, but the signature block got a few details of the spoofed company鈥檚 details wrong. For instance, it listed the company鈥檚 phone number as (619) 616-7776, but the organization鈥檚 actual phone number is (619) 616-7996.
The signature block also claimed that the message had originated from what appeared to be an official email address at the company.
This email address, which was the same as the sender address, yielded no search results. It鈥檚 therefore possible that the digital attackers used spoofing tactics to disguise their email鈥檚 origin.
Where the Attack Email Directs a Recipient
The body of the attack email asked the recipient to review an attached purchase order and respond with their best price.
Troy Gill, manager of security research at 秋葵视频色 | AppRiver, explained what happened if someone elected to open the fake RFQ.
鈥淚f the recipient opens the .HTM attachment, it opens locally in their default browser, showing a RFQ lure,鈥 he said. 鈥淭he lure contains a link to an external site hosting a 7zip archive along with a password to decrypt it.鈥
As is evident in the screenshot above, the RFQ lure used stolen branding consistent with the company spoofed in the campaign鈥檚 attack email.
Anyone who entered in the password and downloaded the 7zip archive didn鈥檛 end up with a purchase order. Instead, they ended up with a BitRAT infection.
This remote access trojan arrived with the ability to mine Monero on infected devices. To launch their own campaign, all an attacker needed to do was to buy into BitRAT鈥檚 Malware-as-a-Service (MaaS) scheme at $89 for six months of use or $199 for a lifetime license.
Attackers could have also saved themselves some money by finding a discount code for the malware on BitRAT鈥檚 official Twitter profile.
Gill analyzed the malware and found that it relied on another digital threat for its code.
鈥淲丑颈濒别听BitRAT听has been around for years, it appears the developers of this latest version heavily utilized code from the WebMonitor听RAT (RevCode) while adding extra functionality for more nefarious purposes in听BitRAT,鈥 he explained.
Back in April 2019, wrote that a Swedish company called RevCode framed听 WebMonitor RAT as legitimate software 鈥渢hat helps firms and personal users handle the security of owned devices.鈥
But that didn鈥檛 prevent antivirus companies from detecting the program as malware. Security researchers found that program could dump a remote machine鈥檚 temporary memory, steal passwords from different email programs, make off with the machine鈥檚 Wi-Fi details, and gain access to the webcam鈥攆unctions that only undermine 鈥渢he security of owned devices.鈥
Defending Against an Email-Borne BitRAT Campaign
The malware operation discussed above highlights the need for organizations to defend themselves against email attacks. One of the ways they can do this is by investing in an email security solution that鈥檚 capable of scanning incoming messages for campaign patterns, malware signatures, and other threat indicators. It should perform this analysis in real time so that legitimate business correspondence can reach its intended destination.
Augment your defenses with the email threat detection tools from 秋葵视频色 | AppRiver.
听