Beware the Bait: New Phishing Blitz Delivers Double-Trouble RATs via Java Downloader

Beware the email that whispers, “Verify your payment,” it’s the bait for a phishing scam serving up a double dose of RATs, VCURMS and STRRAT, via a cheeky Java jig. They’re partying on AWS, with invites from Proton Mail, and they’re after your digital cheese. #PhishingWithRATs

Hot Take:

Phishing with a side of RATs, coming right up! Hackers are cooking up a storm using Amazon’s web pantry and GitHub’s recipe repository to serve a malicious Java-based RATatouille. Proton Mail’s encrypted kitchen is apparently the new hotspot for C2 chatter. Bon Appétit, cybercriminals!

Key Points:

  • Fishy emails are baiting victims to click and unleash twin Java-based RATs, VCURMS and STRRAT.
  • The malware buffet is hosted on AWS and GitHub, with a sprinkle of commercial protector spice to dodge the antivirus bouncers.
  • VCURMS has a taste for Proton Mail for C2 convos, and STRRAT, the older RAT sibling, is a master of disguise as a keylogger and credential snatcher.
  • These RATs don’t just settle for crumbs; they’re after the whole cookie jar—credentials, cookies, and sensitive data from apps and browsers.
  • Meanwhile, Darktrace is shining a light on a Dropbox-themed phishing campaign that’s trying to trick users with a fake Microsoft 365 login page.

Need to know more?

The Secret Life of JARs

Just when you thought jars were only good for jams and pickles, cybercriminals decided to stuff them with RATs instead. It's like Pandora's box, but instead of evils, it's full of malware. Our story begins with an innocent-looking phishing email that's about as trustworthy as a sushi bar at a gas station. One click to "verify payment information," and bam, you're downloading the "Payment-Advice.jar" from AWS, which is definitely not giving you any sound financial advice.

RATs Who Write Emails

VCURMS, the RAT with an email fetish, is all about that Proton Mail life. It's living in the future where malware sends emails with subject lines like "Hey master, I am online." It's like your pet waiting for you to come home but in a much more sinister and less adorable way. This RAT checks its email more diligently than most of us, looking for commands from its overlords to wreak havoc on your digital life.

The Infostealer's Grocery List

Think of VCURMS as the most invasive personal shopper. It's snooping around your digital pantry, looking to steal everything from your Discord and Steam goodies to your browser cookies and auto-fill data. It's not content with just your shopping list; it wants your entire grocery store, including extensive hardware and network information.

Older Sibling STRRAT's Tricks

STRRAT's been in the game since 2020, and it's been masquerading as fraudulent JAR files for a while now, like a wolf in sheep's clothing, or in this case, a RAT in a jar. It's a Java-built RAT with ambitions, doubling as a keylogger, and it's got a particular thirst for browser and app credentials. You might say it's the Swiss Army knife of RATs.

Dropbox's Phishy Delivery Service

While we're on the subject of digital deceit, Darktrace has spotted another phishing campaign that's leveraging Dropbox's automated emails to deliver a side of scam. It's like finding a worm in your apple, except the apple is a PDF, and the worm is a bogus link pretending to be a Microsoft 365 login page. One wrong click, and you're not just dropping files into cloud storage; you're dropping your data into the wrong hands.

Tags: Command-and-Control Server, Credential-Harvesting, infostealer malware, Java-based downloader, malware detection, Phishing Campaign, Remote Access Trojan