A new spam campaign delivering the Ozone RAT has been detected targeting German-speaking users. The attack is spread via malicious Office documents. However, instead of the well-known macro malware, the operation ends with the installation of Ozone.
A Closer Look into the Ozone RAT Spam Campaign
Researchers at Fortinet have reported that the email subject contains billing information for “Cable” service, and the attachment contains a Microsoft Word document. Needless to say, neither of those have anything to do with a real cable service.
Another not-so-typical component of the attack is the hosting of the malicious PAC file on a Tor URL via a Tor2Web proxy service such as onion(.)to.
The final stage of the whole scenario is the installation of a copy of the Ozone RAT. The RAT was first detected more than a year ago. Currently, it’s being sold online for the price of $20 for a standard package and $50 for a platinum package.
Why is the whole operation carried out?
Cyber criminals’ end goal is connect to the local copy installed on the victim’s system and search for sensitive information. This is not surprising as a set of spy components are advertised to be part of the Trojan, such as a keylogger, a password dumper, a hidden startup routine, the ability to hide its process, the ability to download and execute other files, and a remote desktop feature.
“With RAT applications like Ozone, one does not need to be an expert to create and distribute malware. Anyone can buy Ozone from their websites, or simply download “modified” versions, like what we used in our tests for this article“, Fortinet researchersconclude.