Author: Victor Sandin
On 15 February, Infoblox observed a malicious email campaign distributing a remote access trojan (RAT) known as RuRAT, via an encrypted Microsoft Excel spreadsheet (XLS) with malicious macros. In this campaign, threat actor(s) used an email subject referencing a fraudulent card invoice to lure users into opening the malicious attachment for details.
RuRAT is a trojan that contains a legitimate remote desktop software developed by a company called Remote Utilities.1 The software allows the user to control another computer through a proprietary protocol. In 2018, threat actor(s) abused this software in another malspam campaign targeting industrial systems.2 Remote Utilities’ agent is capable of bypassing UAC controls, creating RDP sessions over the Internet, exfiltrating files, observing the host’s desktop and installing/uninstalling software.3
In this campaign, the threat actor(s) used the subject line invoice_Videoflare Ltd and attached an encrypted XLS file (invoice_Videoflare_Ltd.xls). The emails contained a brief description of a card invoice to lure the victim into opening the “complete version” in the attached file. The email body also included the password to access the locked XLS file.
Infoblox’s full report on this campaign will be available soon on our Threat Intelligence Reports page.