Sophos: there is a new cybercrime actor in the wild: it has been dubbed RATicate and it attacks industrial companies to drop RATs. All campaigns leveraged NSIS
There is a new cybercrime group on the wild, RATicate, that hits industrial companies with revolving malware. It has been discovered by Sophos cyber security experts. It is behind several waves of cyber attacks against firms in Europe, the Middle East, and the Republic of Korea to spread installers that drop remote administration tool (RAT), at least since November 2019. All campaigns leveraged Nullsoft Scriptable Install System (NSIS), a legitimate, open-source tool used to create Windows installers, to ultimately drop various remote access trojans (RATs) on victims’ systems. Last one was linked to concern about the global COVID-19 pandemic to convince victims to open the payloads. According to the researchers, this is a shift in tactics, but they suspect that the threat actor constantly changes the way it deploy malware.
The cyber security experts: RATicate exploits several malware
According to Threat Post, the cyber security researchers said that the malware of the installers they examined vary: “We found several different families of RATs and infostealers,” they said. These include Lokibot, BetaBot, and Formbook, a browser form-stealer and keylogger first discovered in 2016. Also dropped in the campaigns is Agent Tesla, a spyware with capabilities to extract credentials, copy clipboard data, perform screen captures, form-grabbing and keylogging functionality, and collect credentials for a variety of installed applications; and Netwire, a RAT focused on stealing credential information, logging keystrokes and stealing hardware information. Based on RATicate’s behavior, experts said they’re unsure of whether the group is focused on corporate espionage or is simply acting as a malware-as-a-service provider for other threat actors.