![]() ![]() NSIS Campaign 14 (): allenservice.ga/~zadmin/lmark/jl2/link.php.For example, these two campaigns used the exact same C&C URL: The payloads of the campaigns using both types of installers delivered the same families of remote administration tool (RAT) and information stealing malware, and they shared the same command and control (C&C) infrastructure. However, we were able to recover downloaded files connected to these installers and to decrypt them in order to analyze the final payloads.ĭespite the new delivery method, we were able to link the campaigns to the RATicate group based on a number of factors. It contains a shellcode which is responsible for downloading encrypted payloads and injecting them into a remote process.īecause the download URL used by the loader was short-lived, it was difficult to recover the payload they were downloading at the moment. CloudEyE is a multi-stage “loader” with a wrapper written in Visual Basic. However, starting in February 2020, we began to see the actors shift to a different delivery vehicle for their malware. These campaigns, detailed in our previous report, distributed payloads that included AgentTesla, Formbook, Lokibot, Netwire and Betabot. Change in deliveryīetween November 2019 (when we began to track the activity of this group) and March 2020, we identified at least 14 separate RATicate campaigns connected to the same set of command and control (C2) infrastructure. We continue to monitor the group to ensure that its malspam messages remain blocked by Sophos. The group has switched back to the NSIS installer for its most recent campaigns, and is continuously making improvements to its infrastructure and distribution methods. CloudEyE has recently returned to service, claiming tighter controls on customer accounts.ĭespite the suspension of CloudEyE operations, RATicate remaims very active. But the CloudEyE developers would provide no further data, citing Italian privacy law. They confirmed that the malware signatures we provided were associated with three accounts that used their service, with the majority of them associated with a single account. We contacted the individuals associated with the Italian company behind CloudEyE in an attempt to gain further information about the RATicate actors. On June 10, CloudEyE announced that they had suspended sale of their installer because of “abuse” of their platform, and were refunding customers for unused portions of their licenses. An email campaign attempting to distribute the Lokibot password-stealing malware used a message attempting to spoof company emails on COVID-19 response policy as a lure to get targeted users to open the malicious attachment: A COVID-19 themed email carrying a RATicate-authored malware installer. It was also during this period that we saw the RATicate actors begin to use the COVID-19 pandemic as a hook to get victims to open the installers. Initially identified (by researchers at CheckPoint) as Guloader, the new Visual Basic 6-based installer was tied to a publicly-marketed installation builder called CloudEyE. But in February, the group started to switch to a new delivery mechanism. As discussed in our original report, the RATicate group had since last November been packing their RAT and infostealer payloads for deployment via e-mail exclusively with custom NSIS installers. In recent campaigns, the group’s tactics have shifted, as the actors employed a new malware “loader” in order to unpack and install RAT and infostealer payloads in a more stealthy way. We tracked multiple malicious spam (“malspam”) email campaigns from the group, with attached installers that usually posed as documents related to financial transactions. In May, we reported initial findings on RATicate, a group of actors spreading remote administration tools (RATs) and other information-stealing malware at least since last year.
0 Comments
Leave a Reply. |