Search This Blog

Showing posts with label Remote Access Tool. Show all posts

Email Phishing Scam: Scammers Impersonate LogMeIn to Mine Users' Account Credentials


A Boston, Massachusetts based company, LogMeIn that provides software as a service and cloud-based remote connectivity services for collaboration, IT management and customer engagement has fallen prey to the scammers targeting companies' work from home schemes set up due to the ongoing pandemic, the campaign impersonates the remote access tool (RAT) LogMeIn and mines the unsuspecting users' account credentials.

As the number of people working from home increased rapidly, scammers saw it as a golden opportunity to carry out impersonations of remote tools such as Zoom and LogMeIn more blatantly than ever; the first incident being spotted in the month of May confirms the attributions made by the researchers in regard to COVID-19.

In this particular attack, the phishing email appears to be coming from LogMeIn, cautioning the user at the receiving end, of a zero-day exploit present in the LogMeIn Central and LogMeIn Pro- two of the company's products. It goes unsaid that in reality there exists no such vulnerability and victims' are made to follow a link that claims to be LogMein URL but takes the user to a phishing page where they would enter the credentials that would be obtained by the scammers behind the attack. Additionally, the threat actors are also exploiting the security issues that already existed in remote access platforms as a part of this phishing campaign.

While giving further insights, Abnormal Security said “Other collaboration platforms have been under scrutiny for their security as many have become dependent on them to continue their work given the current pandemic,”

“Because of this, frequent updates have become common as many platforms are attempting to remedy the situation. A recipient may be more inclined to update because they have a strong desire to secure their communications.”

In order to avoid being scammed by such phishing campaigns, Ken Liao, vice president of Cybersecurity Strategy at Abnormal, alerted users, "Many of the recent attacks have masqueraded as updates--even more specifically--security updates,"

"As always, users should default to updating applications via the application itself and not via links in emails to prevent not only credential loss but the potential introduction of malware onto their machines."

Company Behind Orcus Malware Fined by Canadian Broadcasting Agency


Orcus Technologies, an organization that sold a remote access trojan (RAT) Orcus has been fined with 115,000 Canadian dollars (Approximately 87,000 US dollars). The fine was imposed by one of Canada's broadcasting agency, Canadian Radio-Television and Telecommunications Commission (CRTC).

Orcus Technologies was established in March 2016 by founders John Paul Revesz (also known by the names, Ciriis McGraw, Armada Angelis, among other aliases) and a Germany-based man, Vincent Leo Griebel (also known as Sorzus). Griebel was responsible for developing the malware while Revesz looked after the marketing, sales and support section for the software. The idea behind the operations was to deliver a remote management tool just like widely used TeamViewer and various other remote management applications, as per the investigation carried out by the CRTC in association with the cybercrime division of the Royal Canadian Mounted Police (RCMP).

"Proof got for the duration of the investigation allowed the Leader Compliance and Enforcement Officer (CEO) to conclude that the Orcus RAT was once now not the everyday management instrument Griebel and Revesz claimed, however, was once, if truth be told, a Far-flung Get right of entry to Trojan (RAT), an identified form of malware," as per the CRTC's findings.

The findings further claimed that the duo not only sold and promoted the malware but also assisted malicious actors in getting Orcus RAT installed on users' computers without their consent or knowledge.

In a similar context, last month, Revesz faced criminal charges against him, filed by the RCMP. Earlier in March, this year, the RCMP came up with an arrest warrant at Revesz apartment, meanwhile, there were separate arrest warrants aimed at Orcus RAT customers by Australian Police.

It was around 2016's summer, Orcus RAT starting making headlines in the cybersecurity ecosystem, the RCMP revealed that it started investigating the company behind the malware since July 2016 and have kept a continuous track of the activities revolving around Orcus Technologies since then. Before finally distributing the malware via malspam campaigns, the team behind Orcus announced the malware in a piracy forum in 2016 itself. Then same year also witnessed the publication of an article on the subject reporting the malicious intent of the authors in the month of July. In the wake of the publication which presented enough evidence against the malware, Revesz took to Twitter to defend the Orcus RAT, wherein he claimed that his tool amounts to nothing more than a remote administration application.

As an aftermath of Revenz's weak arguments and the disputes that followed on Twitter, various cybersecurity professionals and organizations filed complaints against the authors of Orcus RAT with corresponding Canadian authorities.

Although the duo is responsible for the creation of the malware and initiating its distribution, the buyers who extended the malicious operations by infecting the victims are equally responsible as the two.

Houdini Worm’s WSH Remote Access Tool (RAT) for Phishing Tactic




A fresh modified version of Houdini Worm is out in the market which goes by the name of WSH Remote Access Tool (RAT) and has commercial banking customers on its radar.


The authors who created the malware released it earlier this June and the HWorm has things tremendously in common with the njRAT and njWorm. (existed in 2013)

WSH RAT uses the legitimate applications that are used to execute scripts on the Windows one of which is Legitimate Windows Script Host.

The malware is being distributed via phishing email campaigns per usual.

The malicious attachment is stuck with the MHT file which is used by the threat operators the very way they use HTML files.

The MTH files contain an “href” link which guides the user to download the malicious .zip archive which releases the original version of WSH RAT.


Researchers report that when WSH RAT’s executed on an endpoint it behaves like an HWorm to the very use of mangled Base64 encoded data.

The WSH RAT uses the very same configuration structure for the above process as HWorm.

It also seeds an exact copy of the HWorm’s configuration including the default variable and WSH RAT command and control server URL structure in similar to that of HWorm.


Firstly WSH Rat communicates with C2 server and then calls out the new URL that releases the three payloads with the .tar.gz extension.
But, it’s actually PE32 executable files and the three payloads act as follows:
·       A Key logger
·       A mail credential viewer
·       A browser credential viewer

These components are extracted from a third party and do not originate from the WSH RAT itself.

The underground price of the WSH RAT was around $50 USD a month with a plethora of features including many automatic startup tactics and remote access, evasion and stealing capabilities.

It’s becoming evident by the hour that by way of simple investment in cheap commands really threatening malware services could be developed and could put any company under jeopardy.