Carding Forum
Professional
- Messages
- 2,788
- Reaction score
- 1,199
- Points
- 113
Fileless 9002 RAT variants significantly complicate threat detection.
The Chinese hacker group APT17 attacked Italian companies and government agencies using a modified version of the well-known 9002 RAT malware disguised as the Skype app. This was announced by the Italian company TG Soft in its recent report.
The attacks occurred on June 24 and July 2, 2024. In the first case, the attackers used a Microsoft Office document, and in the second-a regular link. Both options offered victims to install the Skype for Business package via a fake domain that mimics the official Italian resource: "meeting [.] equitaligaiustizia [.] it/angelo [.] maisto[.]guest». As a result of the installation, victims received the 9002 RAT remote access Trojan on their computer.
The APT17 group, also known as Aurora Panda and Bronze Keystone, was first described in 2013 by Mandiant. Then hackers used vulnerabilities in Internet Explorer for cyber espionage. The 9002 RAT malware, also known as Hydraq and McRAT, first came to prominence in 2009 during Operation Aurora, which targeted Google and other major companies.
In recent attacks, attackers used phishing techniques to force recipients to click on a link and download the Skype for Business MSI installer. Running this installer executes a Java archive (JAR) through a Visual Basic (VBS) script, which simultaneously installs legitimate Skype for Business, so as not to arouse the victim's suspicions. The installed Java application then decrypts and runs the shell code that activates 9002 RAT.
9002 RAT is a modular Trojan that can monitor network traffic, take screenshots, list files, manage processes, and execute commands from a remote server to facilitate network detection. TG Soft noted that this software is constantly updated, including fileless versions, which significantly reduces the likelihood of its detection.
These incidents highlight the need for continuous security updates and training of employees in cyber defense techniques. With the increasing activity of hacker groups such as APT17, any company or government agency can become a target. Regular checks and awareness of current threats can significantly reduce the risk of successful attacks.
Source
The Chinese hacker group APT17 attacked Italian companies and government agencies using a modified version of the well-known 9002 RAT malware disguised as the Skype app. This was announced by the Italian company TG Soft in its recent report.
The attacks occurred on June 24 and July 2, 2024. In the first case, the attackers used a Microsoft Office document, and in the second-a regular link. Both options offered victims to install the Skype for Business package via a fake domain that mimics the official Italian resource: "meeting [.] equitaligaiustizia [.] it/angelo [.] maisto[.]guest». As a result of the installation, victims received the 9002 RAT remote access Trojan on their computer.
The APT17 group, also known as Aurora Panda and Bronze Keystone, was first described in 2013 by Mandiant. Then hackers used vulnerabilities in Internet Explorer for cyber espionage. The 9002 RAT malware, also known as Hydraq and McRAT, first came to prominence in 2009 during Operation Aurora, which targeted Google and other major companies.
In recent attacks, attackers used phishing techniques to force recipients to click on a link and download the Skype for Business MSI installer. Running this installer executes a Java archive (JAR) through a Visual Basic (VBS) script, which simultaneously installs legitimate Skype for Business, so as not to arouse the victim's suspicions. The installed Java application then decrypts and runs the shell code that activates 9002 RAT.
9002 RAT is a modular Trojan that can monitor network traffic, take screenshots, list files, manage processes, and execute commands from a remote server to facilitate network detection. TG Soft noted that this software is constantly updated, including fileless versions, which significantly reduces the likelihood of its detection.
These incidents highlight the need for continuous security updates and training of employees in cyber defense techniques. With the increasing activity of hacker groups such as APT17, any company or government agency can become a target. Regular checks and awareness of current threats can significantly reduce the risk of successful attacks.
Source
