Compromised MS Office files vector for the Escanor RAT malware

August 24, 2022
Compromised MS Office Files PDF Vector Escanor RAT Malware PC Android Esca RAT

Cybersecurity researchers have identified a new remote administration tool called Escanor RAT malware endorsed by its developers in Telegram and the dark web.

The developers of this malware also offer PC-based and Android-based versions of the malware. The product includes an HVNC module and an exploit builder to weaponise MS Office and Adobe PDF documents for spreading malicious code.

The hostile kit was offered by its authors for sale last January with a compact HVNC implant enabling its user to set up a silent remote connection to its targeted device. The tool later evolved into a full-scale commercial RAT equipped with a competent feature set.

Escanor Actors has developed a credible reputation in the cybercriminal landscape, which helped its developers attract nearly 30,000 subscribers on Telegram.

 

The Escanor RAT malware also has a version for targeting mobile devices.

 

The mobile iteration of Escanor is known as Esca RAT, which threat groups actively use to conduct their attack against online-banking users by intercepting their OTP codes. Additionally, the mobile version of the tools can be utilised to harvest GPS coordinates of a target, activate hidden cameras, observe keystrokes, and browse files on remote mobile devices to exfiltrate data.

The Escanor Exploit Builder transmitted most of the samples that were recently detected by cybersecurity researchers. The researchers concluded that the threat actors use malicious decoy documents that imitate invoices and notifications from well-known internet-based services.

The researchers also noted that the domain name dubbed escanor[.]live they had previously identified was affiliated with the AridViper (GnatSpy/APT-C-23) infrastructure. AridViper is a group that actively attacks numerous entities in the Middle Eastern region. They are known for prioritising the targeting of Israeli military assets.

After a cybersecurity researcher recently released a detailed report about the entity, the Escanor RAT authors released a video explaining how other groups may abuse their tool to evade antivirus detection.

Currently, most of the infected victims of Escanor RAT malware have been in the United States, the United Arab Emirates, Canada, Saudi Arabia, Mexico, Singapore, Israel, Bahrain, and Egypt, with few infections in the Southeast Asian Region.

About the author

Leave a Reply