From MostereRAT to ClickFix: Emerging Malware Campaigns Illuminate Increasing AI and Phishing Threats

Cybersecurity researchers have revealed a sophisticated phishing campaign that deploys a stealthy banking malware-turned-remote access trojan known as MostereRAT. This phishing attack employs advanced evasion techniques to gain complete control over compromised systems, siphon sensitive data, and extend its functionality through secondary plugins, as reported by Fortinet FortiGuard Labs. The campaign utilises an Easy Programming Language (EPL) to create a staged payload, conceals malicious operations, and disables security tools to avoid detection. Command-and-control (C2) communications are secured using mutual TLS (mTLS), and the malware supports various methods for deploying additional payloads, including popular remote access tools.

The phishing emails primarily target Japanese users, using business inquiry lures to trick recipients into clicking malicious links that lead to infected sites. These links prompt the download of a booby-trapped Microsoft Word document containing a ZIP archive. Inside the ZIP file is an executable that activates MostereRAT, which subsequently drops tools like AnyDesk, TigerVNC, and TightVNC through EPL-written modules. A significant feature of MostereRAT is its ability to disable Windows security mechanisms and block network traffic associated with a hard-coded list of security programs, effectively evading detection. This traffic-blocking technique is reminiscent of the known red team tool EDRSilencer, which utilises Windows Filtering Platform (WFP) filters to prevent connections to its servers and the transmission of detection data. 

Categories: Phishing Campaigns, Banking Malware, Evasion Techniques 

Tags: Phishing, Malware, MostereRAT, Evasion Techniques, Command-and-Control, Easy Programming Language, Windows Security, Remote Access Tools, Detection, Sensitive Data