The criminal underground is witnessing a proliferation of remote access Trojan (RAT) attacks fueled by the broader availability of turnkey cyberattack kits. Malware “meal kits” priced at under $100 are contributing to the surge in RAT campaigns, often concealed within seemingly legitimate Excel and PowerPoint files delivered via email. HP Wolf Security’s “Q3 2023 Threat Insights Report” highlights a significant increase in Excel files containing DLLs infected with the Parallax RAT, which appears as legitimate invoices to recipients but delivers malware upon clicking. These Parallax RAT malware kits are accessible for $65 a month on hacking forums.
HP’s report also identifies instances where aspiring attackers have been targeted with malware kits, such as XWorm, hosted on ostensibly legitimate repositories like GitHub. Additionally, new RATs, such as DiscordRAT 2.0, have recently emerged.
Notably, 80% of the threats observed during the quarter were email-based, and the report reveals an intriguing development: some cybercriminals are now targeting inexperienced individuals in RAT campaigns.
The HP report shows a significant rise in the use of Parallax RAT as it jumped from the 46th most popular payload in the second quarter of 2023 to seventh in the following quarter. A unique “Jekyll and Hyde” attack pattern has been observed in one Parallax RAT campaign, involving two threads that run when a user opens a scanned invoice template.
While one thread opens the file, the other runs malware in the background, making it challenging for users to detect the attack’s progress. RATs have increasingly become a threat in 2023, with researchers noting upticks in RAT activity.
HP has highlighted the rise of RATs like Houdini and Parallax, but the long-term impact may be limited due to Microsoft’s plan to deprecate VBScript, which both RATs rely on. This announcement may encourage attackers to shift to formats that will continue to be supported on Windows, such as PowerShell and Bash, and develop innovative obfuscation techniques to bypass endpoint security.
