CyberSecurity news
FlagThis
@securebulletin.com
//
A new multi-platform malware campaign is targeting organizations in Southern Europe, specifically Spain, Italy, and Portugal, through sophisticated phishing emails. This campaign leverages weaponized PDF invoices to deliver a Java-based Remote Access Trojan (RAT) known as RATty. The attack begins with emails that bypass SPF/DKIM checks by abusing Spain's serviciodecorreo.es email service, allowing forged sender addresses to appear legitimate. The emails contain a PDF attachment mimicking an invoice from Medinova Health Group, enticing recipients to click a Dropbox link.
This link redirects victims to an HTML file (Fattura.html) that initiates a multi-stage verification process, including a fake CAPTCHA, to further deceive the user. The HTML file then utilizes Ngrok tunneling to dynamically switch content based on the victim's geolocation. If the request originates from Italy, the user is redirected to MediaFire to download a malicious Java Archive (JAR) file named FA-43-03-2025.jar. Users outside of Italy are redirected to benign Google Drive documents, effectively bypassing automated sandboxes typically hosted in cloud regions outside Italy.
The final JAR file contains the RATty malware, a cross-platform Remote Access Trojan that exploits Java's capabilities to grant attackers extensive control over the compromised system. This includes remote command execution, keystroke logging, screenshot capture, and data exfiltration. The attackers may also repackage RATty in MSI installers, further disguising the threat as a software update to increase the odds of user execution. Organizations are advised to update endpoint protection tools to defend against this evolving phishing tactic.
References :
This link redirects victims to an HTML file (Fattura.html) that initiates a multi-stage verification process, including a fake CAPTCHA, to further deceive the user. The HTML file then utilizes Ngrok tunneling to dynamically switch content based on the victim's geolocation. If the request originates from Italy, the user is redirected to MediaFire to download a malicious Java Archive (JAR) file named FA-43-03-2025.jar. Users outside of Italy are redirected to benign Google Drive documents, effectively bypassing automated sandboxes typically hosted in cloud regions outside Italy.
The final JAR file contains the RATty malware, a cross-platform Remote Access Trojan that exploits Java's capabilities to grant attackers extensive control over the compromised system. This includes remote command execution, keystroke logging, screenshot capture, and data exfiltration. The attackers may also repackage RATty in MSI installers, further disguising the threat as a software update to increase the odds of user execution. Organizations are advised to update endpoint protection tools to defend against this evolving phishing tactic.
Share:
References :
- securebulletin.com: From PDF invoice to geo-fenced RAT delivery campaign
- securityonline.info: Sneaky Email Attack Targets Spain, Italy, Portugal with RATty Trojan
- www.cysecurity.news: Multiplatform Malware Campaign Uses PDF Invoices to Deploy Java-Based RAT