Brother
Professional
- Messages
- 2,590
- Reaction score
- 539
- Points
- 113
Researchers F.A.C.C.T. report the addition to the “warriors” regiment with a new remote access Trojan, RADX, which was used in recent attacks on Russian marketplaces, retail chains, banks and IT companies.
A little earlier, the group behind the attacks used another Trojan - DarkCrystal RAT.
With its help, attackers tried to gain access to financial documents, databases, and accounts.
DarkCrystal RAT went on sale in 2019.
Ratnik can take screenshots, intercept keystrokes and steal various types of data from the system, including bank card data, cookies, passwords, browser history, clipboard contents and Telegram, Steam, Discord, FileZilla accounts.
The malware itself is written in C# and has a modular structure.
If successful, the attackers gained access to internal financial and legal documents of companies, client databases, and accounts from email services and instant messengers.
At the end of 2023, F.A.C.C.T. We observed several phishing emails using DarkCrystal RAT to attack Russian companies.
The attackers sent phishing emails from sergkovalev@b7s[.]ru with the subject “Server payment” with two attachments: “server payment screen.zip” or “server payment screen.pdf.zip”.
The first archive contained the file “screen of payment for server.scr”, which installed DarkCrystal RAT on the victim’s computer.
In this case, the C2 DarkCrystal RAT had the IP address 195.20.16[.]116.
The second archive contained the loader “server payment screen.pdf.exe”, which installed previously unknown malware, which was given the name RADX RAT.
Experts found the new family of malware not only in mailing lists, but also on sale since October 2023 on an underground forum, where it is advertised as “the best software for working with remote access and collecting secret information.”
The attackers also position RADX as the cheapest RAT and offered it at New Year discounts with a stealer program in addition.
Thus, a weekly rental of RADX with discounts costs only 175 rubles per month, and a three-month rental costs 475 rubles.
Technical analysis of the RADX Trojan, including indicators of compromise and a complete breakdown of MITER ATT&CK - in the report: https://www.facct.ru/blog/radx-rat/
A little earlier, the group behind the attacks used another Trojan - DarkCrystal RAT.
With its help, attackers tried to gain access to financial documents, databases, and accounts.
DarkCrystal RAT went on sale in 2019.
Ratnik can take screenshots, intercept keystrokes and steal various types of data from the system, including bank card data, cookies, passwords, browser history, clipboard contents and Telegram, Steam, Discord, FileZilla accounts.
The malware itself is written in C# and has a modular structure.
If successful, the attackers gained access to internal financial and legal documents of companies, client databases, and accounts from email services and instant messengers.
At the end of 2023, F.A.C.C.T. We observed several phishing emails using DarkCrystal RAT to attack Russian companies.
The attackers sent phishing emails from sergkovalev@b7s[.]ru with the subject “Server payment” with two attachments: “server payment screen.zip” or “server payment screen.pdf.zip”.
The first archive contained the file “screen of payment for server.scr”, which installed DarkCrystal RAT on the victim’s computer.
In this case, the C2 DarkCrystal RAT had the IP address 195.20.16[.]116.
The second archive contained the loader “server payment screen.pdf.exe”, which installed previously unknown malware, which was given the name RADX RAT.
Experts found the new family of malware not only in mailing lists, but also on sale since October 2023 on an underground forum, where it is advertised as “the best software for working with remote access and collecting secret information.”
The attackers also position RADX as the cheapest RAT and offered it at New Year discounts with a stealer program in addition.
Thus, a weekly rental of RADX with discounts costs only 175 rubles per month, and a three-month rental costs 475 rubles.
Technical analysis of the RADX Trojan, including indicators of compromise and a complete breakdown of MITER ATT&CK - in the report: https://www.facct.ru/blog/radx-rat/
