MostereRAT In Charge

A sophisticated phishing campaign has beenobserved to leverage MostereRAT, a Remote Access Trojan that allows attackers to take full control of a computer remotely, as if they were sitting right in front of it.

The campaign leverages advanced evasion techniques, including the use of the Easy Programming Language (EPL), a Simplified Chinese-based programming language designed for ease of use by native speakers to develop staged payloads, conceal malicious activity and disable security defences to evade detection.

Attack Chain

Initial Delivery

·      Begins with phishing emails targeting Japanese users.

·      Messages impersonate legitimate sources like business inquiries to lure victims into clicking malicious links.

Malicious Download

·      Visiting the infected site triggers an automatic file download, with the option for users to manually click a download button.

Weaponized Document

·      A Word document containing an embedded ZIP archive is delivered.

·      Instead of relying on Japanese-language lures, the document displays a single English instruction “OpenTheDocument.”

·      Victims are instructed to extract and execute the file inside the archive.

Decoy and Obfuscation

·      The archive includes encrypted components embedded in resources.

·      Images of well-known individuals are used as decoys to distract victims and obscure malicious behavior.

Privilege Escalation

·      The malware leverages CreateSvcRpc, a custom RPC client that communicates directly with the ntsvcs named pipe.

·      This enables interaction with the Windows Service Control Manager while bypassing standard APIs like OpenSC Manager and Create Service.

Evasion and Persistence

·      By avoiding standard API calls, the malware can create services with SYSTEM-level privileges.

·      This technique allows it to evade security tools monitoring typical service creation methods and maintain persistence.

Key Impact

Privilege Escalation: Runs as "TrustedInstaller", granting itself the ability to modify critical system files, registry entries, and security settings that even administrators cannot normally access.

Remote Control: Deploys legitimate remote access tools such as AnyDesk and TightVNC on infected machines, giving attackers full, stealthy control without raising suspicion.

Security Product Evasion: Contains hardcoded lists of antivirus (AV) and endpoint detection and response (EDR) solutions, including:

·      Windows Defender

·      ESET, Avira, Avast, Malwarebytes, AVG

·      Kaspersky, Bitdefender, Norton, Symantec, McAfee

·      Chinese vendors like 360 Safe, Kingsoft Antivirus, Tencent PC Manager

The malware actively searches for and disables these defenses.

Telemetry Blocking: Uses Windows Filtering Platform (WFP) filters to block security products from transmitting detection data, alerts, event logs, and telemetry. This technique is adapted from the red-teaming tool EDRSilencer.

Post-Exploitation Capabilities: Once installed, MostereRAT

·      Logs keystrokes

·      Exfiltrates sensitive data

·      Creates hidden administrator accounts

·      Maintains long-term persistence using AnyDesk or TightVNC

Key Takeaways and Recommendations

Over privileged Accounts Are a Core Weakness: MostereRAT highlights how attackers exploit local administrator privileges to tamper with security controls, install malware, and steal data.

Recommendation: Remove local admin rights wherever possible to reduce the attack surface and limit malware impact.

Common Patterns, Despite Creative Evasion: While the malware employs creative evasion tactics, it still follows the overly used pattern of abusing over privileged end points and weak application control.

Recommendation: Enforce strict application control policies to stop unauthorized or suspicious executables from running.

Abuse of Legitimate Remote Access Tools:By deploying trusted tools like AnyDesk and TightVNC,the malware gains persistence and stealthy access that bypasses many EDRdetections.

Recommendation: Block or restrict unapproved remote access tools and maintaintight allow lists for legitimate remote administration software.

Living-Off-the-Land Detection Gap: Since attackers often rely on legitimate and signed tools, traditional signature-based detection may not be enough.

Recommendation: Proactively monitor for abuse of trusted applications and unusual remote access activity in your environment.

“Finally, taking precautionary steps may feel daunting or even unnecessary at times, but the cost of inaction is far greater than you can imagine.”