Post by VMRay

🔥 Alert: Weaponizing Overlord RAT — open-source Golang RAT in #DocuSign-themed phishing 🔗 Report: https://lnkd.in/eHR9-GHB We have recently spotted a phishing campaign, which utilizes a new, open-source malware called #OverlordRAT written in Go. The chain starts with a malicious URL, which points to a domain impersonating the logistics company Global-Merx. The URI resource - utility.php - mimics an official DocuSign page and uses embedded JavaScript to trick victims into downloading a document of ACH Remittance payment, which is a malicious MSI installer, but we’ve seen the payload getting changed recently. The installer embeds a DLL stager and gets called via the CustomAction table of the fake Microsoft DirectX Runtime MSI installer. The DLL finally injects its payload to werfault.exe, decrypts the final stage Overlord RAT payload with XOR (0xA9) and executes it. The use of Overlord RAT again reinforces our previous findings that actors are always on the lookout for adopting new tools in their attack arsenal. 🔑 Takeaways: - URL → DocuSign phishing → MSI → DLL → EP injection (werfault.exe) → XOR (0xA9) → Overlord RAT - MSI and DLL disguised as Microsoft DirectX Runtime files, embedded payload called via CustomAction table - DLL stager injects to werfault.exe, decrypts Overlord RAT payload with XOR key 0xA9 - The open-source Overlord RAT handles encrypted WebSocket traffic, provides HTTPS, JWT, RBAC and MFA authentication, flexible remote desktop streaming (WebRTC, MediaMTX) and supports Windows, Linux and macOS platforms #ThreatIntelligence #ThreatResearch #MalwareAnalysis