Secret Code Behind the Faces of Stars — Hackers' New Scheme Using an Unusual Trick Uncovered
How a new phishing approach turns ordinary emails into dangerous bait.
How a new phishing approach turns ordinary emails into dangerous bait.
Researchers from FortiGuard Labs have detected a new campaign employing the MostereRAT remote access trojan (RAT). This malware targets Windows systems and uses legitimate tools like AnyDesk and TightVNC for covert access.
The attack is distributed via carefully crafted phishing emails targeting Japanese users, enticing them to open a "document" containing an embedded archive. Inside is an executable file, document.exe, built from an example on GitHub and augmented with images of celebrities that conceal encrypted code.
Upon execution, components are unpacked into the C:\ProgramData\Windows directory, including files written in Easy Programming Language (EPL), which require the krnln.fnr library. The use of EPL complicates analysis, as such developments are rarely encountered.
The first key library, maindll.db, is responsible for persisting within the system, bypassing security solutions, and elevating privileges. To ensure automatic execution, it creates scheduled tasks named Microsoft\Windows\winrshost and Microsoft\Windows\winresume, which run under the SYSTEM and administrator accounts. In some cases, the TrustedInstaller account is leveraged, granting maximum rights. The code employs techniques from the NSudo project to clone process tokens and launch new instances with full control.
The second module, elsedll.db, implements the core remote control functionality. It connects to the operators' servers using mTLS (mutual TLS) and supports 37 commands: uploading and downloading files, executing programs, capturing screenshots, and gathering user information. Data exchange is structured using a fixed "magic number" (1234567890), after which the packet length and command identifier are transmitted.
A particularly interesting aspect is the suppression of security solutions. The code enumerates the paths and names of popular antivirus and security suites, including Windows Defender, ESET, Avast, Avira, Malwarebytes, as well as Chinese products like 360 Safe, Kingsoft, and Tencent. To suppress their activity, Windows Filtering Platform (WFP) filters are used to block the sending of telemetry and notifications to the vendors' servers.
The final stage of the attack involves the installation of legitimate remote access tools. The programs AnyDesk, TightVNC, and RDP Wrapper are configured in a specific way to provide the threat actors with privileged access while hiding their presence through registry edits and window masking. This allows the operators to maintain persistence even if some malicious components are discovered.
Collectively, these techniques demonstrate that MostereRAT represents significant progress compared to earlier trojans. The combination of social engineering, the use of a lesser-known programming language, non-standard interaction with the Service Control Manager via a custom RPC client, and the deployment of legitimate administrative tools makes this threat particularly persistent. FortiGuard experts recommend monitoring for unexpected installations of remote access software, keeping security solutions up to date, and improving employee awareness of phishing to minimize the risk of such intrusions.
