This simple phishing email hides fileless malware strains AveMariaRAT, BitRAT, and PandoraHVNC to infect devices no matter what antivirus they use

Researchers at security firm Fortinet report detecting a fraudulent campaign based on the delivery of three pieces of fileless malware with enhanced confidential information-stealing capabilities. The malware is delivered through a phishing campaign, hidden as an alleged payment will in an Excel file.

According to the report, the malware variants delivered in this attack are remote access Trojans (RATs) identified as:

  • AveMariaRAT: This strain has sophisticated functionalities such as stealing sensitive information, privilege escalation capability, remote desktop and camera capture, plus a keylogging module and cookie theft  
  • Pandora hNCM RAT: This is a commercial software developed using C# and that supports functions for credential theft from platforms such as Chrome, Microsoft Edge, Firefox, and Outlook. Pandora can also record screenshots and manipulate the mouse of the target system
  • BitRAT: This tool has multiple commands to remotely control the affected systems, allowing threat actors to download and execute malicious files, control processes and services, and other tasks typical of any RAT

For the researchers, the use of BitRAT is the main risk in this campaign, since it is a very versatile and accessible tool in exchange for a payment of just $20. A couple of months ago a hacking campaign against Windows systems using BitRAT was identified, hidden as a Microsoft license activator distributed through a very popular storage service in South Asia.

Despite its advanced capabilities, it is not very complicated to identify a potential attack, since it resorts to a phishing campaign not very well elaborated. In addition, the success of the intrusion depends entirely on the target user ignoring Microsoft warnings and enabling the execution of macros in the malicious document.

Still, email hacking campaigns are highly effective, so these risks should not be dismissed. As in any similar attack, the best tool is prevention.

Feel free to access the International Institute of Cyber Security (IICS) websites to learn more about information security risks, malware variants, vulnerabilities, and information technologies.