Yesterday, we posted Fidelis Threat Advisory #1013 detailing a phishing campaign utilizing a remote access trojan (RAT) known as Unrecom. Over the past two weeks, we have observed an increase in attack activity against the U.S. state and local government, technology, advisory services, health, and financial sectors associated with this campaign. Attacks have also been observed against the financial sector in Saudi Arabia and Russia.
We consider this phishing campaign important because:
Posted by ThreatGeek at 12:00 PM in advanced malware, cyber threat intelligence, Hardik Modi, malware, malware detection , network defense, prevent cyber attacks, threat assessment , threat geek, threat intelligence | Permalink | Comments (0)
Want a THREATtoon on your blog or website? Great! Simply cite the cartoons original Threat Geek URL under the image and you’re good to go.
Fidelis Threat Advisory #1013
RAT in a Jar: A Phishing Campaign Using Unrecom
In the past two weeks, we have observed an increase in attack activity against the U.S. state and local government, technology, advisory services, health, and financial sectors through phishing emails with what appears to be a remote access trojan (RAT) known as Unrecom. The attack has also been observed against the financial sector in Saudi Arabia and Russia.
As Unrecom is a comprehensive multi-platform Java-based remote access tool, currently not detected by most AntiVirus products, it presents a risk to a large number of potential victims, regardless of operating system. The following is a screenshot of the Unrecom RAT v.2.0 (Version in Spanish):
Over time, various reports in the community have documented the evolution of this tool. This evolution is to be expected, but its low detection rate, recent use this month through phishing emails campaigns against multiple sectors in the U.S. and association with past campaigns involving a variety of RATs captured our attention. The evolution of Unrecom RAT dates from its beginnings as a tool known as Frutas RAT, subsequently branded as Adwind RAT, and now Unrecom RAT.
In 2013, it was reported that Frutas RAT was used in phishing email campaigns against high profile companies in Europe and Asia in sectors such as finance, mining, telecom, and government.
Unrecom RAT provides the attacker with full control over the compromised system, once infected. It has some of the following capabilities:
In the past, variants of the DarkComet and AcromRAT malware have also been observed beaconing to the same Command & Control (CnC) servers used by the Unrecom RAT in this campaign.
This document will provide information about the recent phishing campaigns observed with this RAT and some of the network indicators.