
Landing page | Source: Cofense
The Cofense Phishing Defense Center (PDC) has uncovered a new wave of phishing attacks targeting organizations in Latin America. Cybercriminals are using fake judicial review emails disguised as legal notices to trick recipients into downloading SapphireRAT, a powerful remote access trojan (RAT) designed for data theft, persistence, and remote control of infected systems.
This campaign is particularly dangerous because it bypasses traditional email filtering and antivirus solutions by masquerading as legitimate legal correspondence. The attackers exploit social engineering tactics to convince victims to open malicious attachments, leading to compromised corporate networks.
As Cofense researchers warn, “The attack’s complexity lies in its ability to bypass traditional security measures, including email filtering and antivirus solutions, by disguising itself as legitimate communication related to legal matters.”
The phishing emails use urgent legal language to create a sense of fear and obligation, increasing the likelihood that the victim will engage with the malicious content.
The email includes a password-protected attachment containing a malicious .rar file. This multi-layered approach helps evade automated scanning tools by concealing the final payload.
“The threat actor provides detailed instructions on how to review and sign the relevant document which also includes the password to the document, attempting to add legitimacy to the email.”
Once the victim follows the instructions and extracts the .rar file, the infection process begins:
🔹 Step 1: Victim clicks the provided link, leading to a fake judicial review website.
🔹 Step 2: A malicious .rar archive is downloaded, bypassing email security controls.
🔹 Step 3: The archive contains two additional encrypted .rar files—both are required to extract the final payload.
🔹 Step 4: Inside the extracted files is an executable file, which deploys SapphireRAT on the system.
Once executed, SapphireRAT operates in stealth mode, leveraging Windows system processes to evade detection. It:
✅ Injects malicious code into regsvr32.exe, a legitimate Windows process.
✅ Spawns additional system processes (powershell.exe and conhost.exe) to download secondary payloads.
✅ Establishes a persistent connection to a remote command-and-control (C2) server, allowing attackers to exfiltrate data, deploy more malware, and maintain long-term access.
“When the SapphireRAT malware is executed, it initiates by performing initial setup tasks. These tasks include unpacking itself and identifying a suitable target process for code injection.”
To maintain control over the compromised system, SapphireRAT employs multiple persistence mechanisms:
🔹 Task Scheduler Manipulation: The malware creates a hidden Windows Task Scheduler entry, running the RAT every minute indefinitely.
🔹 AppData Folder Exploitation: It drops a .drv file in AppData\Roaming, granting elevated privileges and reinforcing long-term persistence.
“The malware also drops a .drv file in the AppData location to gain elevated privileges and achieve persistence, making it an effective method for conducting long-term and stealthy attacks.”
The combination of social engineering, multi-layered payload delivery, and advanced malware techniques makes this campaign particularly dangerous.
As Cofense researchers emphasize, “SapphireRAT poses a significant threat due to its stealth, versatility, and ability to maintain persistent access to compromised systems.”
Related Posts:
- CVE-2024-56614 & CVE-2024-56615: PoC Exploits Released for Severe eBPF Vulnerabilities in Linux Kernel
- New Cyber-Espionage Campaign Hits Europe: UAC-0063 Threat Actor Expands Operations
- Unpacking the Latest Obfuscation Techniques in Xloader Versions 6 and 7