Unrecom phishing campaign hit high-profile entities globally

Security Experts at Fidelis Cyber Security firm have recently discovered a new phishing campaign using the Unrecom RAT (remote access trojan).

Fidelis Cyber Security firm has recently issued the Fidelis Threat Advisory #1013 to detail a phishing campaign using the Unrecom RAT (remote access trojan).

Experts at Fidelis during the last two weeks have observed an increase in attack activity, based on this malicious agent, against the US and local government, technology, advisory services, health, and financial. The campaign also hit the financial industry in Saudi Arabia and Russia.

The Unrecom remote access tool was spread as attachments of phishing emails try to trick the users into thinking the emails are legitimate. Following a list of names used for the attachment in the phishing campaign:

  • The  Payment Invoice.jar
  • Payment details.jar
  • POR#94586.zip/POR#94586.jar
  • INV#94586.zip/INV#94586.jar
  • Invitation.jar
  • reports-pdf.jar
  • US$25k.jar,
  • DBC_BANK_IMG_23456_156.jar
  • lremit_Transfer_Error_Page.jar.

The Unrecom is a multi-platform Java-based remote access tool has a low detection rate, it goes undetected by most AntiVirus solutions.  Last version of this RAT is 3.2 and is being sold at “unrecom[.]net” for $500  (Enterprise Version) and $200 (Full Version).

“The evolution of Unrecom RAT dates from its beginnings as a tool known as Frutas RAT, subsequently branded as Adwind RAT, and now Unrecom RAT. In 2013, it was reported that Frutas RAT was used in phishing email campaigns against high profile companies in Europe and Asia in sectors such as finance, mining, telecom, and government.” states the advisory.

As many other remote access tools also Unrecom RAT provides basic features to gain remote control over the victims:

  • Collection of System Information (e.g. IP, OS version, memory RAM information, Java version, Computer Name, User account compromised, etc.)
  • Upload & Execute additional malware, typically exploiting vulnerabilities derived from collected system information
  • Capture Webcam and Microphone, without user notification
  • Remote Desktop to watch user activity
  • File Manager allowing access to files in the context of the current user
  • Browser Password theft
  • Keylogging to capture passwords otherwise obscured from viewing

The advisory reveals that Command & Control (CnC) servers used by the Unrecom RAT in this campaign were used in the past by variants of the DarkComet and AcromRAT malware which have been observed in large volumes in the Middle East.

Following the list of indicators provided in the advisory be aware!

 

(Security Affairs –  Unrecom RAT, phishing)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

A flaw in WordPress LiteSpeed Cache Plugin allows account takeover

A critical flaw in the LiteSpeed Cache plugin for WordPress could allow unauthenticated users to…

4 hours ago

Car rental company Avis discloses a data breach

Car rental giant Avis disclosed a data breach that impacted one of its business applications…

17 hours ago

SonicWall warns that SonicOS bug exploited in attacks

Recently fixed access control SonicOS vulnerability, tracked as CVE-2024-40766, is potentially exploited in attacks in the…

20 hours ago

Apache fixed a new remote code execution flaw in Apache OFBiz

Apache addressed a remote code execution vulnerability affecting the Apache OFBiz open-source enterprise resource planning…

1 day ago

Russia-linked GRU Unit 29155 targeted critical infrastructure globally

The United States and its allies state that Russia-linked threat actors operating under the GRU…

1 day ago

Veeam fixed a critical flaw in Veeam Backup & Replication software

Veeam addressed 18 high and critical severity flaws in Veeam Backup & Replication, Service Provider Console, and…

2 days ago

This website uses cookies.