A newly identified malware threat, known as MostereRAT, is targeting Windows users through sophisticated phishing campaigns. Cybersecurity researchers at FortiGuard Labs have classified this malware as having a “high severity” level, warning that it grants hackers complete remote control of infected systems.
The attack mechanism begins with convincing phishing emails that resemble legitimate business inquiries, specifically aimed at users in Japan. Victims who click on malicious links in these emails unknowingly download compromised files. These files prompt users to open an embedded archive containing the harmful program.
One of the significant challenges in combating MostereRAT is its advanced evasion techniques. It utilizes a unique coding language known as Easy Programming Language (EPL), originally designed for Chinese speakers. By adopting this less common language, attackers complicate efforts to analyze their malicious activities. Additionally, MostereRAT actively disables security tools and antivirus software, blocking their network traffic and shutting down essential Windows security features.
Remote Access and Communication Security
Once operational, MostereRAT deploys a range of remote access tools, including AnyDesk and TightVNC, both legitimate software used for remote work. However, in this context, attackers leverage these programs to gain full access to victims’ computers, enabling them to control systems, gather sensitive data, and install further malicious payloads.
The malware also creates a hidden user account with administrative privileges, ensuring persistent access even if the victim attempts to remove it. Communication between the malware and its Command and Control (C2) server is secured using mutual TLS (mTLS), a sophisticated method that obscures network traffic from detection.
According to FortiGuard Labs, MostereRAT has evolved from a banking trojan first detected in 2020 into a more formidable threat. To counter this, Fortinet has developed protective measures to detect and block MostereRAT.
Recommendations for Organizations
Experts emphasize the importance of educating employees about the dangers of social engineering to prevent initial attacks. “Given that the initial attack vector is phishing emails leading to malicious links and website downloads, browser security is a critical area for defense,” stated Lauren Rucker, Senior Cyber Threat Intelligence Analyst at Deepwatch. She recommends enforcing browser security policies that restrict automatic downloads and require user confirmation before downloading files from unknown sources.
Additionally, organizations should configure user accounts with the minimum necessary privileges to prevent systems from escalating access levels to SYSTEM or TrustedInstaller, further mitigating potential damage from such malware attacks.
The emergence of MostereRAT highlights the ongoing challenges in cybersecurity, particularly as attackers employ increasingly sophisticated methods to compromise systems. By focusing on user education and robust security measures, organizations can better protect themselves against this growing threat.