Go to listing page

Goldmouse aka APT-C-27 targets the Middle East by leveraging WinRAR’s dated security bug

Goldmouse aka APT-C-27 targets the Middle East by leveraging WinRAR’s dated security bug
  • The threat actor is reportedly disseminating njRAT backdoor via malicious Word documents.
  • Attack samples also showed that the malicious code was primarily written in Arabic.

Shortly after WinRAR patched a major security bug in its platform, cybercriminals have resorted to exploiting the bug in unpatched systems for malicious gains.

A good example is the latest attack campaign conducted by the Goldmouse threat group. The APT group is reportedly targeting the Middle East region. According to security 360 Threat Intelligence Center, Goldmouse was observed deploying the nebulous njRAT backdoor.

The big picture

  • In the attack, Goldmouse used file archives containing decoy Word documents. The documents contain a message regarding terrorist attacks.
  • This is to bait users into decompressing the archive using WinRAR, which would let the njRAT backdoor extract itself on the startup folder.
  • njRAT backdoor, which is disguised as Telegram Desktop.exe in this case, would be triggered if the user restarted the infected computer or logged into it again.
  • The backdoor program then shuts down the firewall, starts a keylogger thread and subsequently communicates with its C2 server.
  • The malware also has other features such as remote SHELL, plug-in support, remote desktop, and file management.

Android devices also targeted - The researchers also detected multiple samples designed to target Android devices. The samples mimicked popular applications such as Microsoft Office.

“Multiple related Android samples with the same C&C ( are discovered by 360 Threat Intelligence Center as well. Those recent Android backdoors are disguised as commonly used applications such as Android system and Office software update program,” the researchers wrote in their blog.

Once these false ‘Office Update’ APK files are downloaded on the device, attackers use the C2 server to capture details such as GPS Positioning and perform tasks like recording and photographing from the device.

Cyware Publisher