Newly discovered phishing campaign distributing remote access trojans

A recent discovery by FortiGuard Labs has exposed a phishing campaign that is spreading VCURMS and STRRAT remote access trojans. This campaign tricks targets into downloading a malicious Java downloader, enabling threat actors to deliver malware. The malware is hosted on public services and distributed through emails.

Insights from Security Leaders

Jason Soroko, Senior Vice President of Product at Sectigo:

“Malware creators are taking advantage of cloud services, which is not surprising. RAT malware typically extracts any available data, and the new VCURMS and STRRAT remote access trojans include keyloggers. To combat these threats, stronger authentication methods beyond usernames and passwords are essential.

Darren Guccione, CEO and Co-Founder at Keeper Security:

“Phishing attacks are becoming more sophisticated, with cybercriminals using aesthetic tactics like realistic email templates and malicious websites. In this campaign, bad actors exploit trusted cloud systems and GitHub repositories to deploy various malware techniques.

“Organizations must consistently train employees to recognize and prevent phishing attacks. Users play a crucial role in defending against these threats and should be educated on identifying and avoiding attack vectors.”

Adam Neel, Threat Detection Engineer at Critical Start:

“The VCURMS and STRRAT remote access trojans are being spread through phishing emails with malicious attachments. When these attachments are executed, they download JAR files from an Amazon Web Services (AWS) instance to initiate the attack.

“AWS and GitHub are commonly used by attackers to host malware due to their ease of use and protection. These platforms allow attackers to avoid detection until they deploy their tools. One of the RATs in this attack sets up its command and control through email, enabling attackers to send commands to compromised systems.

“While this attack uses unconventional techniques for obfuscation, users can stay safe by avoiding downloading and executing email attachments. Caution and security best practices are crucial when dealing with emails.”

Claude Mandy, Chief Evangelist, Data Security at Symmetry Systems:

“Cybercriminals have been leveraging commercial infrastructure to evade security tools and deliver payloads. Organizations using AWS and other cloud services must gain visibility into their cloud accounts and services to accurately identify new threats.”