MULTI#STORM Campaign: Phishing Attacks Deploy Remote Access Trojans in India and the U.S.

 

A new phishing campaign named MULTI#STORM has emerged, targeting India and the U.S. This campaign employs JavaScript files to deliver remote access trojans (RATs) on compromised systems, leading to potential data breaches and unauthorized access.

Attack Details: According to researchers at Securonix, the attack chain of MULTI#STORM involves infecting victim machines with multiple unique RAT malware instances, such as Warzone RAT and Quasar RAT, which serve as command-and-control tools during various stages of the attack.

The attack begins with an email containing a link to a password-protected ZIP file named "REQUEST.zip," hosted on Microsoft OneDrive. The password for the ZIP file is set as "12345." Upon extracting the archive, a heavily obfuscated JavaScript file named "REQUEST.js" is revealed. Executing this file triggers the infection process by running two PowerShell commands. These commands retrieve separate payloads from OneDrive and execute them.

The first payload is a decoy PDF document presented to the victim, while the second payload is a Python-based executable that runs silently in the background. This binary acts as a dropper, extracting and executing the main payload, encoded as Base64 strings, named "Storm.exe." Additionally, the dropper establishes persistence by modifying the Windows Registry.

The binary also decodes a second ZIP file, "files.zip," containing four different files. These files are designed to bypass User Account Control (UAC) and escalate privileges by creating simulated trusted directories. One of these files, named "check.bat," bears similarities to another loader called DBatLoader despite using a different programming language.

Another file, "KDECO.bat," executes a PowerShell command to instruct Microsoft Defender to add an antivirus exclusion rule, bypassing the scanning of the "C:\Users" directory. The final stage of the attack involves deploying Warzone RAT (also known as Ave Maria), a readily available malware sold for $38 per month. Warzone RAT provides extensive capabilities for data exfiltration and downloading additional malware, such as Quasar RAT.

Conclusion: To protect against phishing attacks like MULTI#STORM, users must exercise heightened vigilance, especially when encountering emails that create a sense of urgency. It is crucial to avoid directly executing JavaScript files and remain cautious of shortcut files or those using double extensions, as they may have a higher success rate in exploiting unsuspecting victims.