Full Report
FortiGuard Labs uncovers MostereRAT’s use of phishing, EPL code, and remote access tools like AnyDesk and TightVNC to evade defenses and seize full system control.
Analysis Summary
# Tool/Technique: MostereRAT
## Overview
MostereRAT is an evolved Remote Access Trojan (RAT) that the report details being deployed via a sophisticated phishing campaign targeting Japanese users. Its primary purpose is to evade defenses, establish a persistent foothold, and grant attackers full system control, often utilizing legitimate remote access tools for covert operations.
## Technical Details
- Type: Malware Family (Remote Access Trojan - RAT)
- Platform: Microsoft Windows
- Capabilities: Phishing delivery, staged payload deployment, evasion of security controls, SYSTEM-level persistence via Windows Services, Command and Control (C2) via mTLS, and deployment of RATs like AnyDesk/TightVNC.
- First Seen: Evolved from malware mentioned in a 2020 report, but the current RAT variant is recently analyzed.
## MITRE ATT&CK Mapping
*Note: Mappings are derived from the described TTPs in the attack chain.*
- **TA0001 - Initial Access**
- T1566 - Phishing
- T1566.001 - Spearphishing Attachment (Implied via Word document delivery)
- **TA0003 - Persistence**
- T1543.003 - Create or Modify System Process: Windows Service
- **TA0005 - Defense Evasion**
- T1027 - Obfuscated Files or Information (Encryption/Decryption process)
- T1070 - Indicator Removal on Host (Disabling security tools)
- **TA0011 - Command and Control**
- T1071 - Application Layer Protocol
- T1071.001 - Web Protocols (C2 communication using mTLS)
- **TA0002 - Execution**
- T1204.002 - User Execution: Malicious File
- T1059 - Command and Scripting Interpreter (Use of Ruby script to execute next stage)
## Functionality
### Core Capabilities
- **Staged Payload Delivery:** Uses an EPL-coded staged payload residing within an initial executable (`document.exe`).
- **Data Exfiltration/Staging:** Encrypted threat components (including RMM tools) are staged in `%ProgramData%\Windows`.
- **Privilege Escalation & Persistence:** Achieves SYSTEM-level access by leveraging `CreateSvcRpc`, a custom RPC client, to interact directly with the Windows Service Control Manager (SCM), bypassing standard APIs to install and auto-start a malicious service ("WpnCoreSvc").
- **Evasion:** Hides malicious operations and explicitly disables security tools to prevent alert triggering.
### Advanced Features
- **Covert Remote Access:** Installation and execution of legitimate, well-known Remote Access Tools (RATs) such as **AnyDesk** and **TightVNC** to provide the attacker with covert, full system control.
- **Secure C2:** Command and Control communications are secured using mutual TLS (mTLS).
- **Decryption Scheme:** De-encrypts bundled resources (including RMM tools) from an embedded executable using a simple SUB operation with key 'A'.
## Indicators of Compromise
- File Hashes:
- `d281e41521ea88f923cf11389943a046557a2d73c20d30b64e02af1c04c64ed1`
- `4e3cdeba19e5749aa88329bc3ac67acd777ea7925ba0825a421cada083706a4e`
- `546a3418a26f2a83a2619d6c808985c149a0a1e22656553ce8172ca15622fd9b`
- `3c621b0c91b758767f883cbd041c8ef701b9806a78f2ae1e08f932b43fb433bb`
- `926b2b9349dbd4704e117304c2f0edfd266e4c91fb9325ecb11ba83fe17bc383`
- File Names:
- `document.exe` (The initial executable based on wxWidgets sample)
- Registry Keys: (Not explicitly listed in the provided snippet, but service creation implies registry modification.)
- Network Indicators: (Defanged)
- `www[.]efu66[.]com`
- `mostere[.]com`
- `huanyu3333[.]com`
- `idkua93dkh9590764478t18822056bck[.]com`
- `osjfd923bk78735547771x3690026ddl[.]com`
- `zzzzzzz0379098305467195353458278[.]com`
- `xxxxxx25433693728080140850916444[.]com`
- Behavioral Indicators:
- Custom RPC client (`CreateSvcRpc`) communicating directly with the `ntsvcs` named pipe to manipulate SCM.
- Creation of Windows services: `WpnCoreSvc` (auto-start) and `WinSvc_` (demand start).
- Execution of a Ruby script or attacker-provided Launcher via Windows services.
- Dropping components in `%ProgramData%\Windows`.
## Associated Threat Actors
- Not explicitly named, but linked to a threat previously associated with a banking trojan in 2020.
## Detection Methods
- Signature-based detection: Detected by FortiGuard Antivirus as `W32/Agent.MTR!tr`, `W32/Agent.295C!tr`, `W32/Agent.9C1D!tr`.
- Behavioral detection: Monitoring for direct SCM manipulation via RPC pipes (`ntsvcs`).
- Content Disarm: FortiGuard CDR can disarm malicious macros within the initial document.
- Network Filtering: FortiGuard IP Reputation and Anti-Botnet Security Service can proactively block C2 domains.
## Mitigation Strategies
- Maintain up-to-date FortiGuard Antivirus protection on FortiGate, FortiMail, FortiClient, and FortiEDR solutions.
- Utilize Content Disarm and Reconstruction (CDR) service to neutralize embedded file threats in documents.
- Implement security awareness training (e.g., FCF) focusing on detecting sophisticated phishing attempts.
- Network security solutions should focus on blocking outbound connections to identified C2 domains.
## Related Tools/Techniques
- AnyDesk (Remote Access Tool)
- TightVNC (Remote Access Tool)
- EPL (Easy Programming Language - used here for staged payload development)
- Use of custom RPC clients to bypass standard Windows Service APIs.