Cybercriminals Using GitHub and AWS to deploy STRRAT Trojans and VCURMS

A Java-based downloader is being maliciously employed in a recent phishing campaign aimed at distributing remote access trojans (RATs) such as VCURMS and STRRAT.

Yurren Wan, a researcher at Fortinet FortiGuard Labs, stated that “the attackers stored malware on public services like Amazon Web Services (AWS) and GitHub, employing a commercial protector to avoid detection of the malware.”

VCURMS uses a Proton Mail email address (“sacriliage@proton[.]me”) to communicate with a command-and-control (C2) server, an atypical feature of the campaign.

The attack chain begins with a phishing email prompting users to click a button to verify their payment details. This action triggers the download of a malicious JAR file named “Payment-Advice.jar,” hosted on Amazon.com.

When the JAR file is executed, two additional JAR files are fetched and executed separately to activate the twin trojans.

In addition to sending an email to the actor-controlled address with the subject line “Hey master, I am online,” VCURMS RAT consistently scans the inbox for emails containing specific subject lines to extract commands from the message body.

This involves utilizing cmd.exe to execute arbitrary commands, gathering system data, searching for and uploading pertinent files, and downloading additional keylogger and information-stealer modules from the same AWS URL.

Equipped to steal sensitive information from applications such as Discord and Steam, the information stealer can also harvest credentials, cookies, auto-fill data from various web browsers, screenshots, and extensive hardware and network details from compromised hosts.

Similarities between VCURMS and another Java-based infostealer known as Rude Stealer, which emerged in the wild late last year, have reportedly been observed. In contrast, STRRAT has been detected in the wild since at least 2020 and is often distributed via fake JAR files.

“STRRAT is a RAT built using Java, which has a wide range of capabilities, such as serving as a keylogger and extracting credentials from browsers and applications,” Wan stated.

The revelation aligns with Darktrace’s discovery of a distinctive phishing campaign utilizing automatically generated emails from Dropbox’s cloud storage service, sent from “no-reply@dropbox[.]com,” to disseminate a counterfeit link resembling the Microsoft 365 login page.

“The email itself contained a link that would lead a user to a PDF file hosted on Dropbox, that was seemingly named after a partner of the organization,” the business reported. “the PDF file contained a suspicious link to a domain that had never previously been seen on the customer’s environment, ‘mmv-security[.]top.'”

SOURCE