Ddos 
Attack flow | Image: FortiGuard Labs
FortiGuard Labs has uncovered a sophisticated phishing campaign that deploys a new Remote Access Trojan (RAT) dubbed MostereRAT. The campaign combines advanced evasion tactics, the use of a Chinese scripting language, and legitimate remote access tools to achieve persistent and covert system control.
The campaign begins with phishing emails targeting Japanese users, disguised as business inquiries. According to FortiGuard Labs, “This attack campaign begins with phishing emails designed to lure Japanese users into clicking on malicious links. These emails are crafted to appear as if they come from legitimate sources, such as mimicking business inquiries, to deceive recipients into accessing an infected site.”
Once the victim visits the site, a malicious Word document is downloaded. Instead of typical lures, the document contains only one instruction: “OpenTheDocument.” This directs victims to extract and run the embedded executable payload.
The malicious executable, based on a wxWidgets GitHub sample, contains encrypted payloads hidden alongside images of famous people. FortiGuard notes: “The toolset is encrypted and bundled within the executable’s resources… The data is decrypted using a simple SUB operation with the key value of ‘A’.”
One of the unique aspects is its use of Easy Programming Language (EPL), a Simplified-Chinese scripting language, to stage execution. This EPL-based loader leverages .epk files and a custom launcher to run modular payloads, making reverse-engineering more challenging.
MostereRAT uses CreateSvcRpc, a custom RPC client, to directly manipulate the Windows Service Control Manager, bypassing traditional APIs and enabling execution with SYSTEM-level privileges. Services such as “WpnCoreSvc” and “WinSvc_” are created to ensure persistence across reboots.
The malware can also escalate privileges by impersonating TrustedInstaller, one of Windows’ most powerful accounts. As FortiGuard explains, “It first enables SeDebugPrivilege and duplicates its own process token with elevated rights… Finally, it uses the TrustedInstaller token to launch a new process with full privileges.”
Persistence is further reinforced through scheduled tasks and hidden administrator accounts. A registry modification hides the account from the login screen, ensuring long-term stealth access.
MostereRAT aggressively neutralizes defenses by targeting antivirus and EDR products. FortiGuard notes: “The malware contains two built-in lists: one for security product paths and another for security product names.” These include well-known vendors such as Windows Defender, ESET, Avast, Malwarebytes, Avira, Kaspersky, and McAfee.
The malware blocks these tools’ network communications using techniques similar to EDRSilencer, preventing alerts or telemetry from reaching security consoles. It also disables Windows security services and updates by deleting system files like wuaueng.dll and terminating processes such as SecurityHealthService.exe.
MostereRAT’s C2 communications are protected with mutual TLS (mTLS), using embedded certificates to authenticate both client and server. Commands support up to 37 different functions, including file manipulation, keystroke logging, screen capture, and payload execution via DLLs, EXEs, shellcode, or EPL modules.
The malware also deploys legitimate remote access tools such as AnyDesk, TightVNC, and RDP Wrapper, blending malicious activity with commonly seen administrative utilities. As FortiGuard warns, “MostereRAT employs more advanced and sophisticated techniques… switching to legitimate remote access tools like AnyDesk, tightVNC, and RDP Wrapper to control the victim’s system.”
FortiGuard concludes: “These tactics significantly increase the difficulty of detection, prevention, and analysis. In addition to keeping your solution updated, educating users about the dangers of social engineering remains essential.”
Donate