The Escanor RAT is a powerful malware threat that is being offered for sale to cybercriminals. More precisely, the RAT is being advertised on Dark Web forums and the Telegram social media platform. So far, two versions of the threat have been identified; one targeting Android-based devices and the other for PC-based systems. It should be noted that since it was released for sale on January 26, 2022, the threat's initially limited threatening functionality has been expanded considerably.
Details about the Escanor RAT (the mobile version is known as 'Esca RAT') were released to the public in a report by a Los Angeles-based cybersecurity company. According to their findings, the first versions of the RAT were just a compact HVNC (Hidden Virtual Network Computing) implant, tasked with providing the attackers with remote access to the breached system. The capabilities of later versions were boosted with the inclusion of data collecting and keylogging routines. The mobile Escanor RAT can be effectively used as a banking Trojan targeting the banking information of its victims. The threat can intercept OTP (One-Time Password) codes, track the device's GPS location, assume control over the camera, browse files on the device and collect data.
So far, victims of the Escanor RAT have been identified all over the world, in countries as far apart as the US, UAE, Egypt, Mexico, Singapore, Canada, Kuwait, Israel and more. The infection vector typically involves weaponized Microsoft Office or Adobe PDF documents.