A recent phishing campaign has been detected distributing remote access trojans (RATs), including VCURMS and STRRAT, through a malicious Java-based downloader. The attackers utilized public platforms like Amazon Web Services (AWS) and GitHub to store malware, employing a commercial protector to mask their activities and evade detection, according to findings from Fortinet FortiGuard Labs researcher Yurren Wan. Notably, VCURMS RAT stands out for its use of a Proton Mail email address (“sacriliage@proton[.]me”) for communicating with a command-and-control server, adding an unusual dimension to the campaign’s tactics.
The attack chain initiates with a phishing email prompting recipients to click on a button to verify payment information, leading to the download of a malicious JAR file named “Payment-Advice.jar” hosted on AWS. Execution of the JAR file triggers the retrieval and subsequent launch of two additional JAR files, unleashing the twin trojans, VCURMS and STRRAT. VCURMS RAT, apart from sending periodic emails to the actor-controlled address, scans mailbox contents for specific subject lines to extract commands for execution.
VCURMS RAT exhibits multifaceted functionalities, including running arbitrary commands, gathering system information, and stealing sensitive data from applications like Discord and Steam, as well as web browsers. Additionally, it downloads additional information stealer and keylogger modules from the same AWS endpoint, further exacerbating its threat potential. While VCURMS shares similarities with another Java-based infostealer dubbed Rude Stealer, STRRAT has been in the wild since at least 2020, often propagated through fraudulent JAR files. These developments underscore the evolving nature of cyber threats and the need for robust security measures to counter such sophisticated attacks.
