A new spam campaign delivering the Ozone RAT has been detected targeting German-speaking users. The attack is spread via malicious Office documents. However, instead of the well-known macro malware, the operation ends with the installation of Ozone.
Interestingly, users are not prompted to enable macros in Word documents but are instead “invited’’ to double-click on a thumbnail image which eventually executes malicious JavaScript. This is an old technique which hasn’t been used in a while now.
A Closer Look into the Ozone RAT Spam Campaign
Researchers at Fortinet have reported that the email subject contains billing information for “Cable” service, and the attachment contains a Microsoft Word document. Needless to say, neither of those have anything to do with a real cable service.
Like already said, attached to the document is a JavaScript with a small thumbnail of what is presented to be victim’s cable bill. The image comes with the classic instruction to double-click it to see it in full size. If the potential victim is tricked into doing so, a malicious JavaScript will be executed, and the next step in the infection chain will be triggered.
The malicious JavaScript begins to install a fake SSL Certificate, and sets proxies on IE, Chrome, and Mozilla browsers to a remote Proxy Auto Config (PAC) file. The address to the PAC file is a TOR URL (a tool that allows people to communicate anonymously on the Internet) that is randomly selected from its hard-coded configuration.
Another not-so-typical component of the attack is the hosting of the malicious PAC file on a Tor URL via a Tor2Web proxy service such as onion(.)to.
The final stage of the whole scenario is the installation of a copy of the Ozone RAT. The RAT was first detected more than a year ago. Currently, it’s being sold online for the price of $20 for a standard package and $50 for a platinum package.
Why is the whole operation carried out?
Cyber criminals’ end goal is connect to the local copy installed on the victim’s system and search for sensitive information. This is not surprising as a set of spy components are advertised to be part of the Trojan, such as a keylogger, a password dumper, a hidden startup routine, the ability to hide its process, the ability to download and execute other files, and a remote desktop feature.
“With RAT applications like Ozone, one does not need to be an expert to create and distribute malware. Anyone can buy Ozone from their websites, or simply download “modified” versions, like what we used in our tests for this article“, Fortinet researchersconclude.