RuRAT malware baits targets by spoofing an investing firm

March 10, 2022
RuRAT Malware Targets Spoofing Investing Firm Email Spear Phishing

Threat actors conducted a malicious campaign to spread the RuRAT malware, allowing its operators to access a compromised device remotely. Based on reports, the threat actors are spoofing a venture capital firm that fakes its investment or acquisition of a targeted site.

A public forum received a spear-phishing email from an IP address that a UK virtual server company owns. The email spoofed a venture capitalist dedicated to purchasing the forum’s website.

Then, the spear-phishing email asked the targeted forum to contact a particular individual on a chat application called Vuxner. The Vuxner[.]com site promotes the Vuxner Chat as a free and reliable instant messaging service. The researchers managed to locate this site by simply accessing a Google search.

 

The threat actors are betting on their targets to install the messaging app to spread the RuRAT malware onto the users’ devices.

 

If a target installs the VuxnerChat[.]exe file, it will also include several additional malware such as RuRAT on the target’s device.

The threat actors utilise RuRAT to gain initial access to a system, take over the controls, search for significant credentials and critical data, and distribute itself laterally across the compromised network.

Based on recent reports, the RuRAT’s infection chain includes multiple stages.

In RuRAT’s first stage of infection, a decoy URL launches and installs a Trillian software. After installing the Vuxner Trillian software, another installer will drop a legitimate remote desktop software tracked by researchers as RuRATSetup[.]exe and initiate it.

Lastly, a C:\swrbldin folder is developed by the threat operators on the target’s machine, with different batch files, VBS scripts, and other documents necessary for the RuRAT malware deployment.

Threat actors have become extraordinarily clever and developed a strategy by making false claims to bait targeted users into installing malicious malware.

Experts suggest staying cautious whenever an email appears suspicious and reporting it to their security team. Moreover, everyone should avoid downloading email attachments without proper security installed on their devices.

About the author

Leave a Reply