CyberSecurity news
FlagThis - #rat
|
@training.invokere.com
//
References:
malware.news
, thedfirreport.com
,
Researchers have uncovered a new and sophisticated variant of the Interlock RAT, a remote access trojan associated with the Interlock ransomware group. This latest iteration is written in PHP, marking a departure from previously observed JavaScript-based versions. The malware is being distributed through a widespread campaign that leverages compromised websites and Cloudflare tunnels. The attack chain begins with a single-line script injected into website HTML, often unbeknownst to the website owners. This script employs IP filtering to serve the payload, which then manipulates the user into clicking a captcha for "verification," ultimately leading to the execution of a PowerShell script that deploys the Interlock RAT.
The delivery mechanism for this new PHP variant utilizes the KongTuke FileFix technique. Researchers have noted that this updated method has been observed deploying the PHP version of the Interlock RAT, and in some instances, this has subsequently led to the deployment of the Node.js variant of the same RAT. The capabilities of this Interlock RAT variant include remote control of compromised systems, thorough system reconnaissance, and the ability to perform lateral movement within a network. This demonstrates an evolving level of sophistication in the threat actor's tactics. The DFIR Report, in collaboration with Proofpoint, identified the malware and its distribution methods. The observed execution involves a PowerShell command that deletes a scheduled task named "Updater" before downloading and executing a script from a specific URL. This script, in turn, abuses the `php.exe` executable from an uncommon location to further download and execute the RAT. Security professionals are advised to be aware of PowerShell spawning `php.exe` from unusual directories as a potential indicator of compromise. Additionally, the RAT's reconnaissance activities, such as running `systeminfo`, `tasklist`, `whoami`, or `nltest`, provide further opportunities for detection. Recommended read:
References :
@blog.talosintelligence.com
//
North Korean-aligned threat actor Famous Chollima, also known as Wagemole, is actively targeting cryptocurrency and blockchain professionals, primarily in India, using a newly discovered Python-based Remote Access Trojan (RAT) named PylangGhost. This RAT, identified by Cisco Talos in May 2025, serves as a Python-equivalent to their existing GolangGhost RAT, which was previously deployed against MacOS users. The threat actor seeks financial gain by creating fake employers for the purpose of jobseekers exposing their personal information, and second by deploying fake employees as workers in targeted victim companies.
This campaign involves a sophisticated operation where attackers impersonate recruiters from well-known tech firms like Coinbase, Robinhood, Uniswap, and Archblock. Victims are lured through fake job advertisements and skill-testing pages, directed to submit personal and professional information, grant camera access, and copy/execute a malicious shell command under the guise of installing video drivers. Instructions for downloading the alleged fix are different based on the browser fingerprinting, and also given in appropriate shell language for the OS, including PowerShell for Windows and Bash for MacOS. PylangGhost is a multi-stage Python malware framework disguised in a ZIP archive downloaded via the shell command. Upon execution, a Visual Basic Script extracts and launches the malware. The framework consists of modular components that enable credential and cookie theft from over 80 browser extensions, file operations (upload, download), remote shell access, and system reconnaissance. The attackers are primarily targeting individuals with experience in cryptocurrency and blockchain technologies, utilizing skill-testing sites that impersonate legitimate companies to further their deception. Recommended read:
References :
Mandvi@Cyber Security News
//
The Interlock ransomware group is actively deploying a new, sophisticated remote access trojan (RAT) known as NodeSnake in attacks targeting corporate networks. Security researchers have observed this campaign, revealing that Interlock is leveraging NodeSnake as a key component of its attack toolkit to maintain persistent access and enhance its post-exploitation capabilities. NodeSnake, written in Golang, allows the attackers to bypass common detection mechanisms and exfiltrate sensitive data, ensuring continued access even if ransomware binaries are detected and removed.
Two UK-based universities and local government entities have recently fallen victim to NodeSnake within the past few months. Analysis by cybersecurity firm Quorum Cyber has uncovered two new variants of the RAT, strongly attributing them to the Interlock ransomware group. The timing and shared code elements between the incidents suggest a coordinated campaign by the same threat actor, signalling a shift in targets for the Interlock ransomware group which is believed to be behind these attacks. NodeSnake is a type of Remote Access Trojan (RAT). RATs are dangerous because they allow attackers to take control of infected computers from afar. This means attackers can access files, watch what users are doing, change computer settings, and even steal or delete important information remotely while the RATs stay hidden in the system and even introduce other harmful programs. Furthermore, the two NodeSnake variants are from the same family, with the newer one showing significant improvements. This RAT expands the group’s capabilities for reconnaissance, lateral movement, and data exfiltration, facilitating ransomware deployment. Recommended read:
References :
Pierluigi Paganini@Security Affairs
//
Cybercriminals are using a fake Bitdefender website to distribute the Venom RAT (Remote Access Trojan) and other malicious programs, tricking users into downloading what they believe is legitimate antivirus software. The spoofed domain, bitdefender-download[.]com, closely mimics the official Bitdefender site, making it difficult for unsuspecting users to distinguish between the real and fake versions. This campaign highlights the importance of verifying the legitimacy of software download sources to avoid becoming a victim of malware.
Researchers have found that clicking on the "Download for Windows" button on the fraudulent site initiates a file download from a Bitbucket repository that redirects to an Amazon S3 bucket. The downloaded ZIP archive, named "BitDefender.zip," contains an executable ("StoreInstaller.exe") which includes malware configurations associated with Venom RAT, as well as code related to the open-source post-exploitation framework SilentTrinity and StormKitty stealer. These tools work in concert to compromise user systems. The Venom RAT allows attackers to harvest data and maintain persistent remote access to compromised systems. Additionally, the StormKitty malware steals passwords, including those for cryptocurrency wallets, while SilentTrinity ensures the attacker can remain hidden and maintain long-term control. DomainTools suspects the fake Bitdefender site was likely used in phishing attacks, given its overlap with internet infrastructure hosting other fake sites impersonating banks and IT services, further emphasizing the malicious intent behind this cloned website. Recommended read:
References :
|
|