MostereRAT: Exploiting Windows Systems Using AnyDesk and TightVNC for Remote Access

Security researchers have recently uncovered a sophisticated campaign leveraging a novel Remote Access Trojan (RAT) known as MostereRAT, which specifically targets Windows systems by deploying legitimate remote access tools such as AnyDesk and TightVNC. This malware represents a significant evolution from earlier banking trojans, as it combines social engineering with advanced evasion techniques to establish covert full-system control. The initial infection vector relies on highly localized phishing emails that masquerade as business communications, directing victims to a malicious website hosting a Word document containing a hidden archive. Upon opening the document, the embedded payload quietly installs MostereRAT components without alerting standard security tools.

MostereRAT’s developers have adopted a multi-stage delivery approach to obscure its true nature. The executable, based on a wxWidgets sample, decrypts additional modules bundled within its resource section using a simple subtraction cipher keyed by the character “A.” Once extracted to C:ProgramDataWindows, these components are orchestrated via a custom RPC client that bypasses public SCM APIs to create services running under SYSTEM privileges. Fortinet analysts have identified the use of mutual TLS (mTLS) for Command and Control (C2) communications, ensuring that network traffic remains encrypted and authenticated in both directions. During execution, MostereRAT installs two services—WpnCoreSvc (auto-start) and WinSvc_32263003 (demand start)—to guarantee persistence across reboots and on-demand operations. Additionally, the malware disables critical Windows security processes and services, including SecurityHealthService.exe, wuauserv, and UsoSvc, while modifying registry policies to prevent updates and hide notifications. By terminating or hijacking these security mechanisms, the threat maintains a foothold without triggering alerts from antivirus or Endpoint Detection and Response (EDR) solutions. 

Categories: Malware Analysis, Remote Access Trojans, Phishing Attacks 

Tags: MostereRAT, Remote Access Trojan, Windows, Phishing, Malware, Evasion Techniques, Encryption, Persistence, Security Processes, Keylogging