A recent cyber threat has emerged where threat actors create fake websites hosting trojanized software installers, deceiving unsuspecting users into downloading a downloader malware dubbed “Fruity.” The primary objective of this campaign is to install remote trojan tools like Remcos RAT on compromised systems. The counterfeit installers not only lure users with seemingly legitimate software but also contain the hidden trojan and its components, making them a deceptive decoy.
While the exact initial access vector used in the attack remains unclear, possibilities range from phishing and drive-by downloads to malicious ads. Once users land on these fraudulent websites, they are prompted to download a ZIP installer package.
The installer, while seemingly performing a standard installation process, discreetly drops the Fruity trojan, a Python-based malware, that initiates a multi-stage infection by unpacking an MP3 file (“Idea.mp3”) to load an image file (“Fruit.png”) that hides two executables (.dll libraries) and the shellcode for the next-stage initialization using steganography.
Fruity’s design includes bypassing antivirus detection on compromised hosts, enabling it to launch the Remcos RAT payload using process doppelgänging. The attackers behind this campaign can exploit the attack sequence to distribute various kinds of malware, underscoring the importance for users to download software solely from trustworthy sources. This development coincides with Bitdefender revealing a malspam campaign involving Agent Tesla malware to harvest sensitive data from compromised endpoints, and a surge in malvertising operations targeting customers and businesses with tainted software boosted through ads on search engines.
Vigilance and adherence to secure downloading practices become crucial in safeguarding against such malicious campaigns and protecting critical systems and data from exploitation and exfiltration.