Phishing Campaigns at Bargain Rates

Friday, March 21, 2014 @ 07:03 PM gHale


Two new phishing campaigns involve a remote administration tool (RAT) known as WinSpy, and also comes packaged with an Android component known as GimmeRAT, researchers said.

The first campaign involves spear phishing emails targeting a U.S. financial institution, said officials at security provider FireEye, which did not name the victim.

RELATED STORIES
Phishing Plan Targets Google Docs
SMS Phishing Attack on Rise
Attackers Eye Online Banking
Router Fixed after Holes Found

A spear phishing campaign involves an attachment that, when opened, appears as a pay slip, but it is actually just misdirection to launch the WinSpy malware, said FireEye Security Researcher Thoufique Haq in a blog post.

The second campaign involves macro documents claiming to be from Western Union, or other financial matters that end up included as attachments or links in emails.

When infected with WinSpy, an attacker can take screenshots, log keystrokes and retrieve various system reports, as well as download and upload files and execute payloads, according to the blog post, which adds the command-and-control ended up owned and controlled by the WinSpy author.

“This does not necessarily mean the author is behind the attack as the author provides the use of his server for command-and-control as well as to store the victim data as the default option in the WinSpy package,” Haq said. “This feature allowing shared command-and-control infrastructure advertently or inadvertently provides another level of anonymity and deniability for the attacker.”

The GimmeRAT Android component, which Haq said ended up uncovered during the investigation of the Windows modules for WinSpy, has three different applications as part of a surveillance package.

“One of the applications requires commandeering via a windows controller and requires physical access to the device, while the other two applications can be deployed in a client-server model and allows remote access through a second Android device,” Haq said, explaining the remote components work via SMS messages.

The GimmeRAT has components that can take screenshots, as well as collect GPS information, and upload that data to attackers. It appears WinSpy is selling for $29.95.



Leave a Reply

You must be logged in to post a comment.