New Version of an Old RAT

Monday, April 21, 2014 @ 07:04 PM gHale


A new version of an old Java RAT called UNRECOM (Universal Remote Control Multi-Platform) is now making the rounds, researchers said.

The new version detected as JAVA_OZNEB.B previously went under the moniker of Adwind, said researchers at Trend Micro. This RAT is going out with the aid of spam emails. The malware often ends up disguised as product lists, catalogues or receipts. One spam run used to distribute UNRECOM leverages the reputation of American Express.

RELATED STORIES
One RAT Infects 24,000 Systems Globally
Android RAT on Prowl
Snake Campaign Details Offered
Espionage Rootkit has Russian Roots

The fake bank emails inform recipients their accounts ended up suspended due to suspicious activity.

“In view of this, your American Express card has been locked. This has been done to secure your accounts and to protect your private information. We are committed to making sure that your online transactions are secure,” the emails read.

They continue, “Attached to this mail is your statement with the irregular activities highlighted. Please fill in the required information in the form also attached, this is required for us to continue to offer you service in a safe and risk-free environment.”

Of course, the attachment is not a report, but a copy of the RAT.

Once it infects a computer, the new version of the malware can not only take screenshots and display messages, but it can also mine for Litecoins.

The Litecoin-mining component is a plugin. The creators of UNRECOM can add other plugins to further enhance the threat.

“The inclusion of a Litecoin miner plugin is highly notable, given the slew of threats targeting cryptocurrencies we’ve seen recently. Litecoin is a cryptocurrency that’s often considered as a popular alternative to Bitcoin,” said Trend Micro Threat Response Engineer Mark Joseph Manahan in a blog post.
http://blog.trendmicro.com/trendlabs-security-intelligence/old-java-rat-updates-includes-litecoin-plugin/

This RAT can run on multiple platforms. It also has an APK binder component. This enables cybercriminals to take legitimate Android apps and turn them into Trojans.

Trend Micro’s Smart Protection Network has shown most UNRECOM infections were in the United States, Turkey, Australia, Taiwan, Singapore and Japan.



Leave a Reply

You must be logged in to post a comment.