RATicate drops info stealing malware and RATs on industrial targets

May 16, 2020

RATicate drops info stealing malware and RATs on industrial targets

Image: Syl Pierce

Security researchers from Sophos have identified a hacking group that abused NSIS installers to deploy remote access tools (RATs) and information-stealing malware in attacks targeting industrial companies.

Sophos discovered that RATicate's attacks have been targeting industrial companies from Europe, the Middle East, and the Republic of Korea as part of five separate campaigns between November 2019 and January 2020, although the researchers suspect that they were behind other similar campaigns in the past.

These campaigns targeted various types of entities from the industrial sector, ranging from companies focused on manufacturing to investment firms and internet companies, including:

  • An electrical equipment manufacturer in Romania;
  • A Kuwaiti construction services and engineering company;
  • A Korean internet company;
  • A Korean investment firm;
  • A British building supply manufacturer;
  • A Korean medical news publication;
  • A Korean telecommunications and electrical cable manufacturer;
  • A Swiss publishing equipment manufacturer;
  • A Japanese courier and transportation company.

Infection chains

To infect the targets' systems, the attackers used two infection chains, both of them involving the delivery of payloads via phishing emails but with a slight difference in the way they are deployed.

The first infection chain uses ZIP, UDF, and IMG malicious attachments containing the malicious NSIS installers, while the second uses XLS and RTF documents booby-trapped to download the installers from a remote server onto the victims' devices.

RATicate infection chains

The NSIS (Nullsoft Scriptable Install System) installers used the same loaders but dropped different malicious payloads.

"We considered two possible scenarios: either the malicious NSIS package is a generic packer sold on dark forums; or, the same threat actor is using a custom loader to deploy different payloads in a variety of their attacks," Sophos explained.

The NSIS installers were also designed to drop a collection of junk files — from images and source code files to shell scripts and Python binaries — that help conceal the dropped malware.

"During analysis of the samples we collected—conducted both manually and with the aid of sandboxing tools—we found several different families of RATs and infostealers," Sophos said.

"These included Lokibot, Betabot, Formbook, and AgentTesla. But all of them followed the same multi-stage unpacking process when executed."

One threat actor behind several campaigns

In total, Sophos found that RATicate was behind five sequential campaigns dropping a similar set of payloads and sharing command and control infrastructure.

The researchers "found that some of the different payloads from each campaign (mostly Betabot, Lokibot, AgentTesla and Formbook) shared the same C&C," suggesting that they were coordinated by the same threat actor.

"There was also a distinct clustering of the campaign timelines—there was never any overlap between them, suggesting that they were operated serially by the same threat actors."

"Some of the infrastructure was also shared across multiple campaigns, which also suggests the same actor was involved across all of them," Sophos also discovered.

RATicate campaigns

Corporate spies or MaaS provider

According to Sophos, the RATicate group has moved on to using other payloads and lures, including COVID-19-related baits designed trick potential victims into installing malware on their computers as shown by a recent series of attacks detected in March 2020.

"Based on their behavior, we’re unsure of whether the RATicate group is focused on corporate espionage or is simply acting as a malware-as-a-service provider to other actors," Sophos said.

"It could simply be that they are dropping malware on targeted companies in order to provide paid access to others, or are using InfoStealer and RAT malware as part of a larger malware distribution effort."

More details on RATicate's malware campaigns and a link to a list of indicators of compromise related to their campaigns are available in the Sophos report.

Read the original article and additional information at Cyware Social