Security News

Dubbed as Dark Crystal RAT, the malware is being peddled online to hackers in Russian by a lone rookie malware writer with a penchant for cut-rate pricing. "DCRat is one of the cheapest commercial RATs we've ever come across. The price for this backdoor starts at for a two-month subscription, and occasionally dips even lower during special promotions," according to BlackBerry researchers who published their findings on Monday.

Attackers are using a newly released remote access trojan to spread ransomware and distributed denial of service - in addition to the traditional RAT function of backdooring victims' systems. Researchers at Cyble Research Labs discovered the RAT, which they dubbed Borat RAT because it uses a photo of Sacha Baron Cohen, the comedian who created and portrayed the fictional character Borat in a popular series of mockumentary films.

"The Borat RAT provides a dashboard to Threat Actors to perform RAT activities and also has an option to compile the malware binary for performing DDoS and ransomware attacks on the victim's machine," the researchers wrote in a blog post, noting the malware is being made available for sale to hackers. Borat - named after the character made famous by actor Sacha Baron Cohen in two comedy films - comes with the standard requisite of RAT features in a package that includes such functions as builder binary, server certificate and supporting modules.

Researchers report a new version of the JSSLoader remote access trojan being distributed malicious Microsoft Excel addins. The latest campaign involving a stealthier new version of JSSLoader was observed by threat analysts at Morphisec Labs, who say the delivery mechanism is currently phishing emails with XLL or XLM attachments.

The Chinese advanced persistent threat Mustang Panda has upgraded its espionage campaign against diplomatic missions, research entities and internet service providers - largely in and around Southeast Asia. For one thing, the APT has deployed a brand-new, customized variant of an old but powerful remote-access tool called PlugX, according to researchers from ESET. They named this latest variant "Hodur," after a blind Norse god known for slaying his thought-to-be-invulnerable half-brother Baldr.

Though a number of the group's attacks already have been tracked by various researchers - including Microsoft, Mandiant, Cisco Talos, Morphisec and others - since at least 2019, Proofpoint's latest research shares "Comprehensive details linking public and private data under one threat activity cluster we call TA2541," researchers wrote. Previously reported attacks related to TA2541 include a two-year spyware campaign against the aviation industry using the AsyncRAT called Operation Layover and uncovered by Cisco Talos last September, and a cyberespionage campaign against aviation targets spreading RevengeRAT or AsyncRAT revealed by Microsoft last May, among others.

South Korean researchers have spotted a new wave of activity from the Kimsuky hacking group, involving commodity open-source remote access tools dropped with their custom backdoor, Gold Dragon. A sophisticated threat actor may choose to use commodity RATs because, for basic reconnaissance operations, these tools are perfectly adequate and don't require much configuration.

A politically motivated hacker group tied to a series of espionage and sabotage attacks on Israeli entities in 2021 incorporated a previously undocumented remote access trojan that masquerades as the Windows Calculator app as part of a conscious effort to stay under the radar. "The StrifeWater RAT appears to be used in the initial stage of the attack and this stealthy RAT has the ability to remove itself from the system to cover the Iranian group's tracks," Tom Fakterman, Cybereason security analyst, said in a report.

A cyberespionage group with ties to North Korea has resurfaced with a stealthier variant of its remote access trojan called Konni to attack political institutions located in Russia and South Korea. "The authors are constantly making code improvements," Malwarebytes researcher Roberto Santos said.

NET malware packer being used to deliver a variety of remote access trojans and infostealers has a fixed password named after Donald Trump, giving the new find its name, "DTPacker." The ProofPoint team that discovered DTPacker reported that the malware is notable because it delivers both embedded payloads, as well as those fetched from a command-and-control server.