Two families of remote-access Trojans (RATs) have infiltrated small companies in the U.S., the U.K. and India since early 2015 and have stolen money, according to Symantec, a Mountain View, Calif.-based technology security company. The attackers are using Trojan.Nancrat and Backdoor.Breut, which are publicly-available., and have stolen money by targeting employees overseeing fund transfers and accounts.
For most of 2015, most targets were in India. The activity in India and the U.S. has tapered off in the last few months while those in the U.K. have increased.
Hackers Switch Tactics
The attackers began using Backdoor.Breut in early 2015, and then in August, they switched to Trojan.Nancrat against U.K. targets as they kept using Backdoor.Breut in other regions.
The attackers send emails from stolen or spoofed accounts. Employees are vulnerable to email -based attacks 18% of the time, based on campaigns from Symantec’s Phishing Readiness solution. This vulnerability is one reason attackers have exploited this particular access point.
Messages Trick Employees
The attackers send most messages in the morning during Eastern Standard Time (EST) or afternoon during Greenwich Mean Time (GMT). The message subjects relate to finance as a way to entice employees who have access to accounts. The subjects include: “payment remittance,” “re: invoice,” “IT payment,” “PO,” “transfer copy,” “remittance advice,” “quotation required,” “payment advise,” “inquiry,” “request for quotation,” and “quotation.”
The emails carry archive file attachments, often with zip extensions. When the victim opens the file, the malware infects the computer. Both Trojan.Nancrat and Breut give attackers full control of the victim’s computer.
Attackers can then access the microphone and webcam, steal files and passwords, log keystrokes and more. They have been able to use the victim’s privileged access to transfer funds to an account that the attacker controls.
Using Backdoor.Breut in the first half of 2015, the hackers used the following domains as command and control: “cleintten101.no-ipo.biz,” “cleintten.duckdns.org,” and “clientten.1.ddns.net.”
Beginning in August, they configured a Backdoor.Breut variant to use the following domain names: “akaros79.no-ip.bz,” “mathew79.no-ip.biz,” and “clienttin1.ddns.net.”
The attackers then used “mathew79.no-ip.biz” and “akaros.no-ip.biz” for Backdoor.Breut variants as they applied the original” clientten1.ddns.net” to Trojan.Nancrat. At this point, they attacked U.K. targets using Trojan.Nancrat as they compromised other regions using Backdoor.Breut.
While the attackers have limited resources, they can use the two types of malware to achieve full access to a computer. They can potentially rob a large amount of money and sensitive information from victims by focusing RAT infections on specific employees.
In December, four attack groups targeted finance departments in Columbia using malicious email attachments to send the W32.Extrat RAT.
What You’ll Need To Do
Since the attackers use social engineering methods, users are advised to follow the following preventive measures.
• Don’t open attachments or click on links with suspicious email messages.
• If uncertain about an email, contact the IT department or email to Symantec Security through its portal.
• Don’t provide personal data when responding to an email.
• Keep up to date on security software
• Don’t enter personal data in a pop-up web page.
Featured image from Shutterstock. Chart courtesy of Symantec.