A malicious campaign is installing RuRAT malware that provides remote access for compromised devices. The attackers are impersonating a venture capital firm wanting to invest money or purchase the victim’s site.
Recently, BleepingComputer received a spear-phishing email from an IP address belonging to a U.K virtual server company. The email impersonated a venture capitalist interested in buying the media agency’s site.
- The email asked the recipient to contact an agent named Philip Bennett on the Vuxner application.
- Researchers found a vuxner[.]com site by doing a simple Google search and said that the site promotes Vuxner Chat as a free secure instant messaging service.
- When the VuxnerChat[.]exe file is installed, it also brings in some additional malware, including RuRAT onto the computer.
- RuRAT is used for gaining initial access to a system, taking control, searching for credentials and sensitive data, and spreading laterally across a network.
The infection chain includes several stages.
- In the first stage, the decoy URL drops and installs Trillian software.
- After installing the Vuxner Trillian client and exiting, an installer drops a genuine remote desktop software identified as RuRATSetup[.]exe and executes it.
- Subsequently, a C:\swrbldin folder is created on the victim machine, with different batch files, VBS scripts, and other files that are required for the installation of RuRAT.
Attackers have become extremely creative and have resorted to making false claims to lure targeted users into installing malware. Thus, experts recommend professionals always stay alert whenever an email appears suspicious and report it to their security team. Besides, one should avoid downloading email attachments without any proper security in place.