En ny spam-kampagne leverer Ozone RAT er blevet detekteret rettet mod tysk-talende brugere. Angrebet spredes via ondsindede Office-dokumenter. Men, i stedet for den velkendte makro malware, operationen afsluttes med installationen af ozon.
A Closer Look into the Ozone RAT Spam Campaign
Researchers at Fortinet have reported that the email subject contains billing information for “Cable” service, and the attachment contains a Microsoft Word document. Naturligvis, neither of those have anything to do with a real cable service.
Another not-so-typical component of the attack is the hosting of the malicious PAC file on a Tor URL via a Tor2Web proxy service such as onion(.)til.
The final stage of the whole scenario is the installation of a copy of the Ozone RAT. Den RAT was first detected more than a year ago. I øjeblikket, it’s being sold online for the price of $20 for a standard package and $50 for a platinum package.
Why is the whole operation carried out?
Cyber criminals’ end goal is connect to the local copy installed on the victim’s system and search for sensitive information. This is not surprising as a set of spy components are advertised to be part of the Trojan, such as a keylogger, a password dumper, a hidden startup routine, the ability to hide its process, the ability to download and execute other files, and a remote desktop feature.
“With RAT applications like Ozone, one does not need to be an expert to create and distribute malware. Anyone can buy Ozone from their websites, or simply download “modified” versions, like what we used in our tests for this article“, Fortinet forskerekonkludere.