Image: Syl Pierce
Security researchers from Sophos have identified a hacking group that abused NSIS installers to deploy remote access tools (RATs) and information-stealing malware in attacks targeting industrial companies.
Sophos discovered that RATicate's attacks have been targeting industrial companies from Europe, the Middle East, and the Republic of Korea as part of five separate campaigns between November 2019 and January 2020, although the researchers suspect that they were behind other similar campaigns in the past.
These campaigns targeted various types of entities from the industrial sector, ranging from companies focused on manufacturing to investment firms and internet companies, including:
To infect the targets' systems, the attackers used two infection chains, both of them involving the delivery of payloads via phishing emails but with a slight difference in the way they are deployed.
The first infection chain uses ZIP, UDF, and IMG malicious attachments containing the malicious NSIS installers, while the second uses XLS and RTF documents booby-trapped to download the installers from a remote server onto the victims' devices.
The NSIS (Nullsoft Scriptable Install System) installers used the same loaders but dropped different malicious payloads.
"We considered two possible scenarios: either the malicious NSIS package is a generic packer sold on dark forums; or, the same threat actor is using a custom loader to deploy different payloads in a variety of their attacks," Sophos explained.
The NSIS installers were also designed to drop a collection of junk files — from images and source code files to shell scripts and Python binaries — that help conceal the dropped malware.
"During analysis of the samples we collected—conducted both manually and with the aid of sandboxing tools—we found several different families of RATs and infostealers," Sophos said.
"These included Lokibot, Betabot, Formbook, and AgentTesla. But all of them followed the same multi-stage unpacking process when executed."
In total, Sophos found that RATicate was behind five sequential campaigns dropping a similar set of payloads and sharing command and control infrastructure.
The researchers "found that some of the different payloads from each campaign (mostly Betabot, Lokibot, AgentTesla and Formbook) shared the same C&C," suggesting that they were coordinated by the same threat actor.
"There was also a distinct clustering of the campaign timelines—there was never any overlap between them, suggesting that they were operated serially by the same threat actors."
"Some of the infrastructure was also shared across multiple campaigns, which also suggests the same actor was involved across all of them," Sophos also discovered.
According to Sophos, the RATicate group has moved on to using other payloads and lures, including COVID-19-related baits designed trick potential victims into installing malware on their computers as shown by a recent series of attacks detected in March 2020.
"Based on their behavior, we’re unsure of whether the RATicate group is focused on corporate espionage or is simply acting as a malware-as-a-service provider to other actors," Sophos said.
"It could simply be that they are dropping malware on targeted companies in order to provide paid access to others, or are using InfoStealer and RAT malware as part of a larger malware distribution effort."
More details on RATicate's malware campaigns and a link to a list of indicators of compromise related to their campaigns are available in the Sophos report.
— d00rt (@D00RT_RM) May 14, 2020