Ddos 
Attack flow | Image: FortiGuard Labs
FortiGuard Labs has uncovered a sophisticated phishing campaign that deploys a new Remote Access Trojan (RAT) dubbed MostereRAT. The campaign combines advanced evasion tactics, the use of a Chinese scripting language, and legitimate remote access tools to achieve persistent and covert system control.
The campaign begins with phishing emails targeting Japanese users, disguised as business inquiries. According to FortiGuard Labs, βThis attack campaign begins with phishing emails designed to lure Japanese users into clicking on malicious links. These emails are crafted to appear as if they come from legitimate sources, such as mimicking business inquiries, to deceive recipients into accessing an infected site.β
Once the victim visits the site, a malicious Word document is downloaded. Instead of typical lures, the document contains only one instruction: βOpenTheDocument.β This directs victims to extract and run the embedded executable payload.
The malicious executable, based on a wxWidgets GitHub sample, contains encrypted payloads hidden alongside images of famous people. FortiGuard notes: βThe toolset is encrypted and bundled within the executableβs resourcesβ¦ The data is decrypted using a simple SUB operation with the key value of βAβ.β
One of the unique aspects is its use of Easy Programming Language (EPL), a Simplified-Chinese scripting language, to stage execution. This EPL-based loader leverages .epk files and a custom launcher to run modular payloads, making reverse-engineering more challenging.
MostereRAT uses CreateSvcRpc, a custom RPC client, to directly manipulate the Windows Service Control Manager, bypassing traditional APIs and enabling execution with SYSTEM-level privileges. Services such as βWpnCoreSvcβ and βWinSvc_β are created to ensure persistence across reboots.
The malware can also escalate privileges by impersonating TrustedInstaller, one of Windowsβ most powerful accounts. As FortiGuard explains, βIt first enables SeDebugPrivilege and duplicates its own process token with elevated rightsβ¦ Finally, it uses the TrustedInstaller token to launch a new process with full privileges.β
Persistence is further reinforced through scheduled tasks and hidden administrator accounts. A registry modification hides the account from the login screen, ensuring long-term stealth access.
MostereRAT aggressively neutralizes defenses by targeting antivirus and EDR products. FortiGuard notes: βThe malware contains two built-in lists: one for security product paths and another for security product names.β These include well-known vendors such as Windows Defender, ESET, Avast, Malwarebytes, Avira, Kaspersky, and McAfee.
The malware blocks these toolsβ network communications using techniques similar to EDRSilencer, preventing alerts or telemetry from reaching security consoles. It also disables Windows security services and updates by deleting system files like wuaueng.dll and terminating processes such as SecurityHealthService.exe.
MostereRATβs C2 communications are protected with mutual TLS (mTLS), using embedded certificates to authenticate both client and server. Commands support up to 37 different functions, including file manipulation, keystroke logging, screen capture, and payload execution via DLLs, EXEs, shellcode, or EPL modules.
The malware also deploys legitimate remote access tools such as AnyDesk, TightVNC, and RDP Wrapper, blending malicious activity with commonly seen administrative utilities. As FortiGuard warns, βMostereRAT employs more advanced and sophisticated techniquesβ¦ switching to legitimate remote access tools like AnyDesk, tightVNC, and RDP Wrapper to control the victimβs system.β
FortiGuard concludes: βThese tactics significantly increase the difficulty of detection, prevention, and analysis. In addition to keeping your solution updated, educating users about the dangers of social engineering remains essential.β
Related Posts:
- New Agent Tesla Spyware Variant was spread via Microsoft Word documents
- EDRsandblast Exploited: How Attackers are Weaponizing Open-Source Code
- Suspected Nation-State Adversary Exploits Ivanti CSA in a Series of Sophisticated Attacks
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
