Fidelis Threat Advisory #1013
RAT in a Jar: A Phishing Campaign Using Unrecom
In the past two weeks, we have observed an increase in attack activity against the U.S. state and local government, technology, advisory services, health, and financial sectors through phishing emails with what appears to be a remote access trojan (RAT) known as Unrecom. The attack has also been observed against the financial sector in Saudi Arabia and Russia.
As Unrecom is a comprehensive multi-platform Java-based remote access tool, currently not detected by most AntiVirus products, it presents a risk to a large number of potential victims, regardless of operating system. The following is a screenshot of the Unrecom RAT v.2.0 (Version in Spanish):
Over time, various reports in the community have documented the evolution of this tool. This evolution is to be expected, but its low detection rate, recent use this month through phishing emails campaigns against multiple sectors in the U.S. and association with past campaigns involving a variety of RATs captured our attention. The evolution of Unrecom RAT dates from its beginnings as a tool known as Frutas RAT, subsequently branded as Adwind RAT, and now Unrecom RAT.
In 2013, it was reported that Frutas RAT was used in phishing email campaigns against high profile companies in Europe and Asia in sectors such as finance, mining, telecom, and government.
Unrecom RAT provides the attacker with full control over the compromised system, once infected. It has some of the following capabilities:
- Collection of System Information (e.g. IP, OS version, memory RAM information, Java version, Computer Name, User account compromised, etc.)
- Upload & Execute additional malware, typically exploiting vulnerabilities derived from collected system information
- Capture Webcam and Microphone, without user notification
- Remote Desktop to watch user activity
- File Manager allowing access to files in the context of the current user
- Browser Password theft
- Keylogging to capture passwords otherwise obscured from viewing
In the past, variants of the DarkComet and AcromRAT malware have also been observed beaconing to the same Command & Control (CnC) servers used by the Unrecom RAT in this campaign.
This document will provide information about the recent phishing campaigns observed with this RAT and some of the network indicators.