New Proyecto RAT targets Colombian businesses

• Researchers found a spam campaign targeting financial institutions and governmental organizations.
• The threat actors behind the campaign use a disposable email address service for the command-and-control server.

A recent spam campaign unearthed by security researchers was found targeting Colombian entities. It was reported that a new malware known as ‘Proyecto RAT’ was spread in this campaign. In addition, the campaign’s authors relied on a disposable email address service called YOPmail for a command-and-control (C2) server. The campaign was spotted by security researchers from Trend Micro. A group regularly involved in business email compromise (BEC) scam was believed to be behind this campaign.

The big picture

• The campaign targeted at financial institutions and governmental organizations in Colombia.
• Spam emails from this campaign were attached with malicious RTF files. These files contained the macros which downloaded the malware payload, upon enabling them.
• The main payload was a remote access tool (RAT) known as Imminent Monitor. Trend Micro researchers observed that this RAT downloaded and executed another payload, which is the Proyecto RAT.
• This version of Proyecto RAT is written in Visual Basic 6 and had a C2 URL address from YOPmail.
• The campaign is also said to have affected other countries in South America, as well as countries across the world.

Similarities with Xpert RAT

Trend Micro researchers point out that the new Proyecto RAT was similar to another RAT known as Xpert RAT. “Seeing the many features of the malware, we tried to match it to a known RAT. The communication between client and server is via TCP, is unencrypted, and uses pipe ‘|’ characters and ‘¡@#@!’ as a separator. This description fits quite well with Xpert RAT. Searching for the x86 hex string from cTimer class also leads to links with Xpert RAT,” said the researchers in an analysis of this malware.