Cybersecurity: MostereRAT Deployment and Evasion Techniques
Cybersecurity researchers at FortiGuard Labs have identified a phishing campaign utilizing the MostereRAT remote access trojan, specifically targeting Windows systems. This malware employs advanced evasion techniques and installs legitimate remote access tools such as AnyDesk and TightVNC, enabling persistent access to compromised machines.
Phishing Campaign Details
The attack initiates with phishing emails targeting Japanese users, masquerading as legitimate business inquiries. Victims are redirected to websites that automatically download a malicious Word document. This document contains a ZIP archive and displays an instruction: OpenTheDocument, prompting users to execute the embedded file.
The malware’s deployment method includes encrypted components within its resources, employing images of well-known individuals as decoys. MostereRAT uses CreateSvcRpc, a custom RPC client, to interact directly with the Windows Service Control Manager, bypassing standard APIs. This approach enables the creation of services with SYSTEM-level privileges, evading detection by security tools.
Technical Specifications and Capabilities
This campaign notably utilizes Easy Programming Language (EPL), a programming language designed for simplicity. The initial executable, document.exe, is derived from a GitHub wxWidgets menu sample and acts as a deployment tool. The malware decrypts its payload using a SUB operation and deploys components to C:\ProgramData\Windows. The EPL-based payload consists of multiple modules for persistence, privilege escalation, and security tool interference.
MostereRAT uses a communication protocol featuring a magic number and packet identifiers. The malware escalates privileges by leveraging the TrustedInstaller account, one of the most powerful in Windows. It also includes an EPK launcher and malicious files requiring the krnln.fnr runtime library, adding an obfuscation layer due to its uncommon usage.
Security Tool Evasion
The malware identifies and targets paths and names of popular security products like 360 Safe, Windows Defender, and Malwarebytes, employing Windows Filtering Platform (WFP) filters to block network traffic from these products. This prevents them from sending detection data and alerts.
MostereRAT’s core remote access module establishes secure connections with command and control servers using mutual TLS (mTLS) authentication. It supports 37 commands, enabling extensive system control such as file operations and screen capture.
This malware can install and configure AnyDesk, TightVNC, and RDP Wrapper, providing attackers with persistent access. These tools are set to grant exclusive access to attackers while concealing themselves from legitimate users through registry and window modifications.
Conclusion
MostereRAT represents a significant development in remote access trojan capabilities, integrating social engineering, evasion techniques, and legitimate tool misuse for persistent system compromise. Organizations are advised to implement comprehensive security training, maintain updated security solutions, and monitor for unusual remote access tool deployments to mitigate such threats.
