Escanor is a new RAT (Remote Administration Tool) that was promoted on the Dark Web and Telegram, as per Resecurity, a cybersecurity firm based in Los Angeles that protects Fortune 500 companies globally.
The threat actors provide versions of the RAT for Android and PC, as well as an HVNC module and an exploit builder to turn Microsoft Office and Adobe PDF files into weapons for spreading malicious code.
The tool was first publicly available for purchase on January 26th of this year as a small HVNC implant that allowed for the establishment of a stealthy remote connection to the victim's machine. Later, the kit evolved into a full-scale, commercial RAT with a robust feature set.
Over 28,000 people have joined Escanor's Telegram channel, which has a solid reputation on the Dark Web. Previous 'cracked' releases by the actor going by the same name included Venom RAT, 888 RAT, and Pandora HVNC, which were probably utilized to enhance Escanor's capability further.
According to reports, cybercriminals actively employ the malware known as Esca RAT, a mobile variant of Escanor, to attack users of online banks by intercepting one-time password (OTP) credentials.
The warning states that the tool "may be used to gather the victim's GPS locations, watch keystrokes, turn on hidden cameras, and browse files on the distant mobile devices to steal data."
Escanor Exploit Builder has been used to deliver the vast majority of samples that have lately been discovered. Decoy documents that look like bills and notices from well-known internet providers are utilized by hackers.
Resecurity also advised that the website address 'escanor[.]live' has earlier been linked to Arid Viper, a group that was active in the Middle East in 2015.
APT C-23 is also known as Arid Viper. Espionage and information theft are this threat actor's primary goals, which have been attributed to malevolent actors with political motivations for the freedom of Palestine. Although Arid Viper is not a particularly technologically advanced actor, it is known to target desktop and mobile platforms, including Apple iOS.
Their primary malware, Micropsia, is surrounded by Delphi packers and compilers in their toolset. This implant has also been converted to various platforms, including an Android version and versions built on Python.
The majority of Escanor patients have been located in the United States, Canada, the United Arab Emirates, Saudi Arabia, Kuwait, Bahrain, Egypt, Israel, Mexico, and Singapore, with a few infections also occurring in South-East Asia.
