The cybercriminal group Rogue Raticate, also known as RATicate, has reemerged with a fresh wave of attacks aimed at enterprises. Known for their expertise in infiltrating corporate networks through malicious emails and remote access trojans (RATs), the group is now using weaponized PDF files to deliver the NetSupport Remote Access Tool (RAT). Cybersecurity experts observed this new campaign, which employs seemingly innocuous PDF attachments named like “unpaid-7985652547.pdf” and “Paper-2445311685.pdf” to lure victims.
These malicious PDFs contain URLs that redirect users through a Traffic Distribution System (TDS) to deploy the NetSupport RAT on their machines. Rogue Raticate uses social engineering tactics, primarily leveraging OneDrive and Adobe templates, to trick recipients into clicking the embedded URLs. This sophisticated attack chain highlights the group’s evolving tactics and the persistent threat they pose to enterprises.
In response to these attacks, Symantec has implemented several protective measures to safeguard its customers. File-based detections such as Scr.DLHeur!gen7 and Scr.DLHeur!gen10 have been put in place to identify and mitigate these malicious PDFs. Symantec’s comprehensive approach aims to ensure enterprises are well-protected against the evolving tactics of cybercriminal groups like Rogue Raticate.
Despite these protections, it remains crucial for users to stay vigilant and exercise caution when handling unsolicited emails and attachments. Awareness and proactive measures are essential to defend against the persistent threats posed by sophisticated cybercriminal groups. Maintaining a high level of security awareness can help prevent falling victim to these malicious campaigns.
Reference:
