Sophos found the group abusing NSIS installers and deploying remote access tools (RATs)
The hacking group was “RATicate’s” which has been targeting companies from Europe, the Middle East, and the Republic of Korea in not one but five campaigns between November 2019 and January 2020. But Sophos researchers suspect that this group was behind other past attacks too.
These targeted companies were from the industrial sector, particularly companies focused on manufacturing to investment firms and internet companies. Namely,
- “an electrical equipment manufacturer in Romania;
- a Kuwaiti construction services and engineering company;
- a Korean internet company;
- a Korean investment firm;
- a British building supply manufacturer;
- a Korean medical news publication;
- Korean telecommunications and electrical cable manufacturer;
- a Swiss publishing equipment manufacturer;
- a Japanese courier and transportation company.”
( as reported by bleeping computer in their blog)
Two Infection Chains
The hackers used two infection chains to infect the computers by using phishing emails to deploy payloads but with a small difference.
- The first chain had ZIP, UDF, and IMG attachments carrying NSIS (Nullsoft Scriptable Install System) installers.
- The second chain had XLS and RTF docs that downloaded the payload from a remote server to the user’s machine.
“We considered two possible scenarios: either the malicious NSIS package is a generic packer sold on dark forums; or, the same threat actor is using a custom loader to deploy different payloads in a variety of their attacks,” Sophos reports.
NSIS installers hid the dropped malware by spamming and dropping junk files like images, source code files, shell scripts, and Python binaries.
“During the analysis of the samples we collected—conducted both manually and with the aid of sandboxing tools—we found several different families of RATs and info stealers,” Sophos explains. “These included Lokibot, Betabot, Formbook, and AgentTesla. But all of them followed the same multi-stage unpacking process when executed.”
One Actor-Multiple Campaign
Sophos found that this group RATicate was the key player behind five sequential campaigns between November 2019 and January 2020 using similar payloads and commands.
The security researchers “found that some of the different payloads from each campaign (mostly Betabot, Lokibot, AgentTesla, and Formbook) shared the same C&C,” suggesting the same threat group.
“There was also a distinct clustering of the campaign timelines—there was never any overlap between them, suggesting that they were operated serially by the same threat actors.”
“Some of the infrastructures were also shared across multiple campaigns, which also suggests the same actor was involved across all of them,” states Sophos.
Now, the RATicates have found a new lure and payload – using COVID-19 to trick people into installing malwares in their systems.