A new attack campaign delivering the remote access Trojan MoDi RAT has been detected by cybersecurity experts. The threat possesses all of the threatening functionalities expected from a RAT. MoDi RAT gives the attackers remote access to the infected computer. This allows the hackers to execute arbitrary commands, manipulate the file system, exfiltrate information of interest collected from the compromised device or deliver additional threatening payloads. 

MoDi RAT also can attempt to connect to additional Command-and-Control (C2, C&C) servers, which means that any files or private data that have been harvested can then be transmitted and uploaded to more than one external server. The collected data could include detailed host and system information, sensitive login credentials, as well as financial details.

However, the most interesting aspects uncovered by infosec researchers were not connected with the threat itself but with the method through which MoDi RAT was delivered.

A Convoluted Attack-Chain Drops MoDi RAT

Before the final payload consisting of MoDi RAT is established onto the compromised system, the attack goes through multiple stages and involves some nifty tricks designed to avoid detection. The initial attack vector is most likely a spam email campaign disseminating emails carrying corrupted attachments. When the user executes the email attachment, it triggers a Visual Basic Script that connects to a remote site acting as an entry point for several HTTP 302 redirects before finally arriving at a .ZIP archive file hosted on OneDrive. The archive contains an encoded VBS (VBE) file.

Meanwhile, the initial VBS script drops a second VBS file to the filesystem and injects three data blob entries into the Windows registry that are used in the following stages of the attack. After that, it proceeds to create a Scheduled Task responsible for running the VBS script at a predetermined point in the future. The VBS code, in turn, launches PowerShell and inserts the needed commands in the system's clipboard. The threat then delivers the commands to the PowerShell window through the VBS SendKeys command programmatically. This technique avoids spawning a PowerShell instance containing unusual command-line parameters that might be picked up by security products.

Fileless Attack Phase

The rest of the threatening actions are wholly fileless. The steps involve the PowerShell extracting a .NET decoder executable from the Registry blobs and injecting it into a system process. The decoder then extracts a .NET injector and payload blobs. In this phase, the injector proceeds to load the payload by inserting it into the msbuild.exe application.

It should be noted that several strings, the name of the initial ZIP file (Timbres-electroniques), as well as one of the Registry keys (Entreur), are all words with a French origin. It may not be a surprise then that among the detected targets of MoDi RAT were multiple French firms.


Most Viewed