MostereRAT Targets Windows, Uses AnyDesk and TightVNC for Full Access

MostereRAT malware targets Windows through phishing, bypasses security with advanced tactics, and grants hackers full remote control.

Cybersecurity researchers at FortiGuard Labs have identified a new malware threat called MostereRAT that is being delivered via a phishing campaign targeting Windows devices. The research, which was shared with Hackread.com, warns that this threat has a “high severity” level.

For your information, MostereRAT is a type of Remote Access Trojan (RAT), which is a form of malware that allows attackers to take full control of a computer remotely, as if they were sitting right in front of it.

****The Attack****

The attack begins with convincing phishing emails, designed to look like legitimate business inquiries, to trick Japanese users. When a victim clicks on a malicious link in the email, a compromised file automatically downloads. This file then guides the victim to open an embedded archive, which contains the malicious program.

Attack Flow (Source: Fortinet FortiGuard Labs)

It is worth noting that the malware uses several advanced methods to avoid detection. One key technique is its use of a unique coding language called Easy Programming Language (EPL), a language originally designed for Chinese speakers. By using this less common language, the hackers make their malicious operations harder to analyse.

The malware also actively works to disable security tools and anti-virus software by blocking their network traffic and even shutting down Windows security features. Furthermore, the malware secures its communication with the Command and Control (C2) server using a highly advanced method called mutual TLS (mTLS), which makes its network traffic much harder to detect and intercept.

Once the malware is running, it deploys a variety of remote access tools like AnyDesk and TightVNC. These are legitimate programs that people use for remote work, but in this case, the attackers use them to gain full access to the victim’s computer.

This allows them to control the system, collect data, and even install more malicious payloads. The malware also creates a hidden user account with administrative privileges, ensuring it can maintain access even if the victim thinks they have removed the threat.

In its blog post, FortiGuard Labs stated that the threat has evolved from a banking trojan first seen in 2020 into this new and more dangerous form. Fortinet has developed protections to detect and block MostereRAT, and they recommend that organisations educate their employees on the dangers of social engineering to prevent the initial attack.

“Given that the initial attack vector is phishing emails leading to malicious links and website downloads, browser security is a critical area for defence. Enforce browser security policies restricting automatic downloads and prompting users for confirmation before downloading files from unknown sources,“ said Lauren Rucker, Senior Cyber Threat Intelligence Analyst at Deepwatch.

“Additionally, organisations should configure user accounts with the minimum necessary privileges to prevent systems from escalating privileges to SYSTEM or TrustedInstaller,“ she added.