New phishing campaign exploits AWS and GitHub to spread trojans

Recent observations by Fortinet FortiGuard Labs researchers have detected a new phishing campaign using public services such as Amazon Web Services (AWS) and GitHub to host malware, including the VCURMS and STRRAT remote access trojans (RATs). The latter are spread via a Java-based downloader equipped with a commercial protector to evade detection systems.

Technical details of the attack and malware used

The attack begins with an email inviting you to click a button to verify your payment information, leading to the download of a malicious JAR file from AWS. Once executed, the file proceeds to download and activate additional JAR files responsible for activating the VCURMS and STRRAT Trojans. VCURMS is notable for using a Proton Mail email address for communication with the command and control (C2) server.

Advanced RAT features and evasion techniques

VCURMS not only sends emails to cybercriminals to report its activation, but also periodically scans the inbox for specific commands, allowing the execution of arbitrary commands, collection of system information, search and upload of relevant files , as well as downloading additional information theft and keylogger modules from the same AWS endpoint. The stolen information includes sensitive data from applications like Discord and Steam, credentials and autosaved data from different browsers, screenshots, and in-depth hardware and network details of compromised machines.

STRRAT and additional phishing campaigns detected

For its part, STRRAT is a RAT developed in Java known since 2020, equipped with a wide range of features, such as keylogging and credential extraction from browsers and applications. In parallel, Darktrace discovered a phishing campaign that exploits automatic emails sent by the Dropbox cloud storage service, with a fraudulent link that imitates the Microsoft 365 login page, highlighting the constant evolution of cybercriminals' attack strategies.