Bad actors are stepping up. FortiGuard Labs has uncovered a phishing campaign that installs MostereRAT, a remote access trojan built to evade defenses and seize full control of a machine.
The path is familiar. A phishing email lands in the inbox of a Japanese user. It looks like a business inquiry, routine and harmless. A click leads to a download. A Word document appears. Inside, a simple instruction: open the archive, run the file.
That file unlocks the rest. The malware unpacks encrypted tools, hides them in system directories, and uses a custom RPC client to bypass standard Windows controls. Services are created to run with SYSTEM privileges. A fake error message in Chinese is shown to cover the tracks and lure the victim into spreading the program further.
From there, MostereRAT shows its depth. Written in Easy Programming Language, a niche Chinese coding environment, it runs staged payloads. Modules are decrypted in memory, each adding persistence, privilege escalation, or stealth.
Tampering with AV, EDR
It can run as TrustedInstaller, one of the most powerful accounts in Windows. It tampers with antivirus and EDR. It blocks traffic from security tools, echoing techniques used by red team utilities like EDRSilencer.
Command and control traffic is encrypted with mutual TLS. The malefactor’s instructions come wrapped in secure channels that look legitimate. Those commands can log keystrokes, capture screens, exfiltrate files, or inject new payloads.
One tactic stands out. Instead of relying solely on custom code, the operators install legitimate remote access software. AnyDesk. TightVNC. Even RDP Wrapper. Each configured to provide the threat actor with the same access an administrator might have. Legitimate tools, illegitimate purpose.
FortiGuard links the infrastructure back to domains seen in 2020, when the malware was still a banking trojan. Since then it has grown into a full remote access platform, with persistence, evasion, and command modules built for long-term control.
Attackers will mix the homemade with the well-known. They will borrow from GitHub projects, use consumer remote access tools, and wrap their traffic in TLS. Detection gets harder. Prevention gets harder.
What remains constant is the opening move: a phishing lure, just convincing enough to draw a click.
Exploiting Overpriviledged Users
James Maude, Field CTO at BeyondTrust, says while this malware uses some creative techniques to evade detection by chaining together novel scripting languages with trusted remote access tools, it is still following a common pattern of exploiting overprivileged users and endpoints without application control.
“As attackers evolve their techniques with creative methods to evade detection, it is vital that organizations remove users’ local administrator privileges. Time after time, malware campaigns rely on exploiting the user’s privileges to tamper with security controls, install malicious software, and harvest data. If you remove the local administrator privilege, you vastly reduce the attack surface and limit the impact of a malware infection.”
A number of the actions performed by the malware, including interfering with AV/EDR solutions and adding users to the local administrators group, require a high level of privilege on the system, Maude adds. “This is likely only possible if the user already is a local administrator, making the threat actor’s job much easier.
Blocking Unapproved Remote Access Tools
“This research also highlights the importance of blocking unapproved remote access tools, which are often used by threat actors to gain access and maintain persistence. As these tools are legitimate and signed by trusted vendors, they are unlikely to be detected as malicious by EDR solutions, however in the wrong hands they provide a back door into your organization. Organizations should monitor for and ideally block the use of unapproved remote access tools especially those which can be freely downloaded.”
Maude says organizations that have removed local administrator privileges and control application execution using Endpoint Privilege Management tools are far more resilient to these attacks. “If the attackers can’t use privileges to tamper with security controls and can’t easily execute the payloads they drop then the risk of a breach is low.”
Browser Security is Critical
Lauren Rucker, Senior Cyber Threat Intelligence Analyst at Deepwatch adds that given the initial attack vector is phishing emails leading to malicious links and website downloads, browser security is a critical area for defense.
“Enforce browser security policies restricting automatic downloads and prompts users for confirmation prior to downloading files from unknown sources. Additionally, organizations should configure user accounts with the minimum necessary privileges to prevent systems from escalating privileges to SYSTEM or TrustedInstaller,” she explains.
Crippling Windows Security
Jason Soroko, Senior Fellow at Sectigo says this malware scans for many security products and blocks their traffic with Windows Filtering Platform in a style similar to EDRSilencer, while also crippling Windows security and updates and obscuring service creation.
“Security teams should harden email defenses and user reporting, enforce application allowlisting, and restrict egress so endpoints cannot freely reach the internet on uncommon ports such as 8000 9001 9002. Add detections for TrustedInstaller token abuse and untrusted parent processes spawning that service, for new Windows Filtering Platform rules that affect security tools, for stoppage or deletion of update and security components, and for the creation of hidden administrators in the SpecialAccounts UserList key, and enable tamper protection in endpoint security.”
Sorokoo also advises denying or tightly managing the installation and execution of AnyDesk, TightVNC, Xray, and RDP Wrapper, and blocking the execution of EPK package handlers where not needed. “Use Sysmon and EDR to catch early bird or in-memory execution and rundll32 launches that load unknown modules, and monitor TLS fingerprints to surface anomalous client certificate use associated with mTLS. If compromise is suspected, isolate the host, remove rogue WFP filters, rotate credentials, review RDP and remote tool artifacts, search for the hardcoded V account, and restore update components from trusted media.”
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.