{"id":6045,"date":"2021-02-19T13:59:48","date_gmt":"2021-02-19T21:59:48","guid":{"rendered":"https:\/\/blogs.infoblox.com\/?p=6045"},"modified":"2024-04-26T13:20:53","modified_gmt":"2024-04-26T20:20:53","slug":"malspam-campaign-with-fake-invoice-drops-rurat","status":"publish","type":"post","link":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-campaign-briefs\/malspam-campaign-with-fake-invoice-drops-rurat\/","title":{"rendered":"Malspam Campaign with Fake Invoice Drops RuRAT"},"content":{"rendered":"

Author: Victor Sandin<\/strong><\/h3>\n

TLP: WHITE<\/strong><\/h3>\n

 <\/p>\n

Overview<\/h3>\n

On 15 February, Infoblox observed a malicious email campaign distributing a remote access trojan (RAT) known as RuRAT, via an encrypted Microsoft Excel spreadsheet (XLS) with malicious macros. In this campaign, threat actor(s) used an email subject referencing a fraudulent card invoice to lure users into opening the malicious attachment for details.<\/p>\n

Customer Impact<\/h3>\n

RuRAT is a trojan that contains a legitimate remote desktop software developed by a company called Remote Utilities.1<\/sup> The software allows the user to control another computer through a proprietary protocol. In 2018, threat actor(s) abused this software in another malspam campaign targeting industrial systems.2<\/sup> Remote Utilities\u2019 agent is capable of bypassing UAC controls, creating RDP sessions over the Internet, exfiltrating files, observing the host\u2019s desktop and installing\/uninstalling software.3<\/sup><\/p>\n

Campaign Analysis<\/h3>\n

In this campaign, the threat actor(s) used the subject line invoice_Videoflare Ltd <\/em>and attached an encrypted XLS file (invoice_Videoflare_Ltd.xls<\/em>). The emails contained a brief description of a card invoice to lure the victim into opening the \u201ccomplete version\u201d in the attached file. The email body also included the password to access the locked XLS file.<\/p>\n

Attack Chain<\/h3>\n

When the user opens the XLS file, inputs the password included in the email and enables macros, Excel runs a VBA macro that downloads an executable from the threat actor\u2019s server to the user directory. The macro then launches the executable that prompts RuRAT to be installed.<\/p>\n

Vulnerabilities & Mitigation<\/h3>\n

Infoblox recommends the following to reduce the risk of this type of infection:<\/p>\n