A new RAT has been discovered on the dark web and Telegram. Named Escanor, the RAT has Android- and PC-based versions, with HNVC module and exploit builder.

Escanor RAT

Escanor RAT has been spotted by Resecurity, which reported that the attackers are offering an HVNC module and exploit builder to weaponize Adobe PDF and Microsoft Office documents to spread malicious code.
  • The tool was initially released for sale on January 26 as a compact HVNC implant allowing it to set up a silent remote connection. It later transformed into a full-scale commercial RAT. 
  • Escanor has already built a credible reputation on dark web and attracted over 28,000 subscribers on its Telegram channel. 
  • Moreover, there is a mobile version (Esca RAT) that is used to attack online-banking customers by intercepting OTPs. 

Most of its victims are located in the U.S., the UAE, Canada, Kuwait, Bahrain, Egypt, Israel, Saudi Arabia, Singapore, and Mexico.

Connections with other incidents

  • An observed domain name (escanor[.]live) was previously linked to AridViper (aka GnatSpy/APT-C-23) infrastructure.
  • In the past, the actor with the moniker Escanor had released cracked versions of several tools, such as Pandora HVNC, Venom RAT, and 888 RAT, which were likely used to improve the functionality of Escanor.

Concluding notes

Escanor RAT seems to be very capable as it has already attracted thousands of customers. Similarities with past incidents indicate that the attacker may be developing this new malware by leveraging past experiences and malware code. Moreover, the availability of both Android and PC versions indicates that this threat actor may be planning for making further investments and enhancements in this malware.
Cyware Publisher

Publisher

Cyware