SUBSCRIBE NOW
IN THIS ISSUE
PIPELINE RESOURCES
Lumen Reveals new Discoveries about ReverseRAT Virus

Suspected Pakistani actor modifies its custom remote access trojan with nefarious new capabilities

ReverseRat 2.0 gains access to webcams and USB-connected
devices while evading anti-virus detection

Lotus Labs, the threat intelligence arm of Lumen announced that ReverseRat – the remote access trojan it discovered just six weeks ago – has been modified with new capabilities targeting new victims.

Threat Assessment

After discovering and issuing its initial ReverseRAT research, Black Lotus Labs continued to track the threat actor, which had previously targeted government and energy-sector organizations in India and Afghanistan. Some of the new discoveries include:

  • Victims were lured by a .pdf file that looked like an agenda for a United Nations meeting on organized crime. The document itself appears to have been fabricated as the UN Journal lists no such meeting on that topic during this timeframe.

  • Most of the organizations that appeared to be targeted by the new "ReverseRat 2.0" were in Afghanistan, with a handful in Jordan, India and Iran.

  • The first iteration of ReverseRat relied on Allakore, an open-source RAT, to run parallel to the custom framework. ReverseRat 2.0 replaced AllaKore altogether with a new agent called NightFury.

  • ReverseRat 2.0 introduced new, more intrusive capabilities including:

    • Taking photos via the infected computer's webcam and stealing files from any device connected to the compromised machine via a USB port.

    • Techniques to evade detection by Kaspersky or Quick Heal antivirus (AV) products if either were detected on the host machine.

Black Lotus Labs Response and Recommendations

  • To combat this campaign, Black Lotus Labs null-routed the threat actor infrastructure across the Lumen global IP network and notified the affected organizations.

  • Black Lotus Labs continues to follow this threat group to detect and disrupt similar compromises, and we encourage other organizations to alert on this and similar campaigns in their environments.

  • Given the nature of the critical sectors the actor is targeting, Black Lotus Labs advises security practitioners to learn the actor's current tactics, tools and procedures (TTPs) to better defend their organizations against potential attacks.

Source:  Lumen Black Lotus Labs media announcement

FEATURED SPONSOR:

Latest Updates





Subscribe to our YouTube Channel