Cyber security news for all


    Alert: Cybercriminals Using VCURMS and STRRAT Trojans via AWS and GitHub

    A new phishing campaign has been discovered, distributing dangerous remote access trojans (RAT) such as VCURMS and STRRAT through a malicious Java-based downloader.

    The attackers are storing malware on public services like Amazon Web Services (AWS) and GitHub, using a commercial protector to evade detection.

    What’s unusual about this campaign is that VCURMS is using a Proton Mail email address (“sacriliage@proton[.]me”) to communicate with a command-and-control (C2) server.

    The attack begins with a phishing email urging recipients to click on a button to verify payment information. This leads to the download of a malicious JAR file (“Payment-Advice.jar”) hosted on AWS.

    Running the JAR file triggers the retrieval of two more JAR files, which are then executed separately to launch the twin trojans.

    In addition to sending an email with the message “Hey master, I am online” to the actor-controlled address, VCURMS RAT periodically checks the mailbox for emails with specific subject lines to extract commands from the body.

    These commands include running arbitrary commands using cmd.exe, gathering system information, searching and uploading files of interest, and downloading additional information stealer and keylogger modules from the same AWS endpoint.

    The information stealer can extract sensitive data from apps like Discord and Steam, credentials, cookies, and auto-fill data from web browsers, screenshots, and detailed hardware and network information from compromised hosts.

    VCURMS is similar to another Java-based infostealer known as Rude Stealer, which appeared last year. On the other hand, STRRAT has been in the wild since at least 2020, often spread through fraudulent JAR files.

    “STRRAT is a RAT built using Java, with capabilities such as serving as a keylogger and extracting credentials from browsers and applications,” Wan noted.

    This disclosure coincides with Darktrace’s revelation of a phishing campaign using automated emails from Dropbox, leading to a fake Microsoft 365 login page hosted on a suspicious domain.

    Recent Articles

    Related Stories