Yesterday, we posted Fidelis Threat Advisory #1013 detailing a phishing campaign utilizing a remote access trojan (RAT) known as Unrecom. Over the past two weeks, we have observed an increase in attack activity against the U.S. state and local government, technology, advisory services, health, and financial sectors associated with this campaign. Attacks have also been observed against the financial sector in Saudi Arabia and Russia.
We consider this phishing campaign important because:
- The targets we have observed are in the U.S. state and local government, technology, advisory services, health and financial sectors.
- The attached malware is known as Unrecom, a comprehensive multi-platform Java-based RAT.
- Unrecom has evolved from previous high-profile RATs such as Adwind and Frutas. Both of these have been observed in threat activity in the Middle East.
- The Unrecom samples that we have analyzed are detected by a very small set of AntiVirus and antimalware products.
- The samples that we have analyzed clearly share command-and-control infrastructure with malware such as DarkComet and Arcom RAT, observed in other campaigns. Significantly, these malware families have been observed in large volumes in the Middle East.