Contributor: Lionel Payet
Political news has always been one of the top topics used in targeted attacks. Last week we came across unique malicious emails targeting high-profile companies in Europe and Asia (in sectors such as finance, mining, telecom, and government). The payload is an updated version of a Java remote access tool (RAT) detected as Backdoor.Opsiness, also known as Frutas RAT.
Figure 1. Frutas RAT logo
Frutas RAT is not new and has been around for quite some time now. Back in February we released a blog about this: Cross-Platform Frutas RAT Builder and Back Door.
The crafted emails used in this campaign contain two files – the first one is a decoy (.pdf) and the second is the actual threat (.jar). Sample email subject lines used include:
- Subject: Obama Releases Three Declassified Spying Docs
- Subject: U.S. Consul General Hart Arrives in Hong Kong
- Subject: UK-Northern Ireland-Japan InfoSec Agreement
Figure 2. Example email
If the social engineering is successful and the .jar file is executed, it will gather the following information from the compromised computer and connect to a command-and-control (C&C) server:
- Mac and IP address
- User name
- Country the computer is located in
- Operating system information (name, version, architecture)
- Java Runtime version
Looking at its functionalities, Backdoor.Opsiness could be considered as recon malware for future targeted attacks – while it is not widely spread, we are seeing a growing trend in its use in several targeted attacks.
Figure 3. Distribution of targeted attacks per country
We advise users to keep their antivirus definitions, operating system, and software up-to-date. Users should also avoid opening emails from unknown senders and avoid clicking on suspicious email attachments.