Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Rarstone RAT Being Used in Targeted Attacks in Asia: Trend Micro

Trend Micro researchers have found evidence of the Rarstone remote access tool (RAT) in targeted attacks against various organizations in the telecommunications and energy industries in Asia.

Trend Micro researchers have found evidence of the Rarstone remote access tool (RAT) in targeted attacks against various organizations in the telecommunications and energy industries in Asia.

Rarstone has been used in targeted attacks in India, Malaysia, Singapore, and Vietnam, Maharlito Aquino, a threats analyst with Trend Micro, wrote on the company’s Security Intelligence blog Thursday. The spear phishing campaign relied on messages related to diplomatic discussions in the Asia-Pacific region, Aquino said. The messages contained a malicious RTF document exploiting flaws in Windows common control (CVE-2012-0158).

Microsoft patched the vulnerability in April 2012.

“Targeted attacks like this are typically part of broader campaigns meant to stay under the radar and steal information from target entities,” Aquino wrote.

The list of targeted industries is a little worrying, as it includes telecommunications, oil and gas, media, and government organizations. There have been a number of targeted attacks against the energy industries recently, with attackers out to steal information as well as cause damage.

When the unsuspecting recipient opens the attachment, it triggers a call to the command-and-control server to download the Rarstone backdoor while dropping a decoy document onto the user’s system. The user sees the decoy document and doesn’t notice the malware, which is loaded directly into memory, Aquino said.

Trend Micro named this particular campaign Naikon, after a useragent string (Nokian95/Web) included in the attacks. The vulnerability exploited by the Naikon emails was also used in the recent “Safe” campaign, which compromised several government agencies, media outlets, and other organizations.

The attackers “clearly tried to make the work of security researchers more difficult,” Aquino wrote.

Advertisement. Scroll to continue reading.

Because the RAT is loaded into memory, it is difficult to detect Rarstone using ordinary, file-based scanning technologies, and traditional defenses such as blacklisting and perimeter controls are not enough to detect or block these campaigns, Aquino said. Instead, organizations need to be scrutinizing their network traffic for suspicious packets.

Rarstone has characteristics similar to the older and better-known PlugX, according to Trend Micro. This malware family included the bombing at the Boston marathon in its repertoire of social engineering tricks. Rarstone differs from PlugX in that it can get installer properties from Uninstall Registry Keys, Aquino said. Not only does Rarstone know what applications are installed on the system, it knows how to uninstall them in case one of the applications interferes with its execution.

Rarstone also uses SSL to encrypt its communications with its C&C server, Aquino said. The domains used in Naikon were either dynamic DNS domains, or registered with registrars offering privacy protection.

Aquino did not include any other information about the targeted organizations in the post.

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Cybercrime

Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...