A new cyberattack campaign began on June 21, 2024, involving a sophisticated distribution of malicious software. The attack uses a JavaScript file hosted on a lookalike IRS website, which, when executed, triggers an MSI installer. This installer drops a Brute Ratel Badger DLL into the user’s AppData, allowing the attackers to establish control over the compromised system.
Once the Brute Ratel framework is active, it downloads and installs the Latrodectus backdoor, giving the attackers remote access to the victim’s machine. This malware facilitates data theft and enables further payload distribution. Zscaler ThreatLabz confirmed Brute Ratel’s role as an initial access broker for the Latrodectus malware on June 23, 2024.
The malicious campaign involved redirecting users from a fake domain (appointopia.com) to the compromised IRS website. Users were tricked into solving a CAPTCHA, which led to downloading a JavaScript file (Form_Ver-*.js). This file utilized obfuscated code and a valid authentication certificate to mask its true intentions, ultimately acting as a downloader for malicious MSI packages.
Further analysis revealed that the MSI files, like “BST.msi” and “neuro.msi,” contained DLLs and custom actions designed to install and execute additional malware. The Brute Ratel Badger payload connects to multiple command-and-control (C2) domains and deploys Latrodectus malware, creating a multi-stage infection chain that remains hidden from standard security measures.