MostereRAT Malware Leverages Evasion Tactics to Foil Defenders

 

Despite the fact that cybercrime has become increasingly sophisticated over the years, security researchers have uncovered a stealthy phishing campaign in which a powerful malware strain called MostereRAT was deployed. This remote access trojan allows attackers to take full control of infected systems in the same way they would normally operate them, as though they were physically a part of them. 

It has recently been revealed that the campaign is being carried out by Fortinet's FortiGuard Labs using an array of advanced evasion techniques to bypass traditional defenses and remain undetected for extended periods of time. This operation was characterized by the unconventional use of Easy Programming Language (EPL) as a visual programming tool in China that is seldom used to carry out such operations. 

Through its use, staged payloads were constructed, malicious activity was obscured, and security systems were systematically disabled. Researchers report that these phishing emails, which are primarily targeted at Japanese users with business related lures, have been shown to lead victims to booby-trapped documents embedded within ZIP archives, and this ultimately allowed the deployment of MostereRAT to be possible. 

A malware campaign designed to siphon sensitive information from a computer is incredibly sophisticated, as it extends its reach by installing secondary plugins, secures its communication with mutual TLS (mTLS), and even installs additional remote access utilities once inside a computer, highlighting the campaign's calculated design and danger of adaptability once it enters the system. 

As FortiGuard Labs identified the threat, it is believed that the campaign distinguishes itself by its layered approach to advanced evasion techniques that can make it very difficult for it to be detected. It is noteworthy that the code is written in a language called Easy Programming Language (EPL) — a simplified Chinese based programming language that is rarely used in cyberattacks — allowing attackers to conceal the malicious activity by staging the payload in multiple steps. 

With MostereRAT, a command-and-control system can be installed on an enterprise network, and it demonstrates that when deployed, it can disable security tools, block antivirus traffic, and establish encrypted communications with the C2 infrastructure, all of which are accomplished through mutual TLS (mTLS). Infection chains are initiated by phishing emails that are crafted to appear legitimate business inquiries, with a particular emphasis on Japanese users. 

In these messages, unsuspecting recipients are directed to download a Microsoft Word file that contains a hidden ZIP archive, which in turn executes a hidden payload in the form of a hidden file. Decrypting the executable's components, installing them in the system directory, and setting up persistence mechanisms, some of which operate at SYSTEM-level privileges, so that control can be maximized. 

Moreover, the malware displays a deceptive message in Simplified Chinese claiming that the file is incompatible in order to further disguise its presence. This tactic serves as a means of deflecting suspicion while encouraging recipients to try to access the file in a more secure manner. As well as these findings, researchers noted that the attack flows and associated C2 domains have been traced to infrastructure first reported by a security researcher in 2020, as part of a banking trojan. 

However, as the threat has evolved, it has evolved into a fully-fledged remote access program called MostereRAT. 

Yurren Wan, the researcher at FortiGuard Labs, emphasized that the campaign was of a high severity, primarily because it integrated multiple advanced techniques in order to allow adversaries to stay undetected while in control of compromised systems, while maintaining complete control of the system at the same time. 

Using legitimate remote access tools to disguise their activity, attackers are able to operate in plain sight by enabling security defenses and disguising activity. It was noted by Wan that one of the most distinctive aspects of this campaign is its use of unconventional methods. For example, it is coded in Easy Programming Language (EPL), intercepts and blocks antivirus traffic at the network level, and can even escalate privileges to the level of Trusted Installer—capabilities that are rarely found in standard malware attacks. 

A MostereRAT exploit can be used to record keystrokes, exfiltrate sensitive data, create hidden administrator accounts, and make use of tools such as AnyDesk and TightVNC in order to maintain persistence over the long term over a target system once it becomes active. According to Wan, defense against such intrusions requires a layered approach that combines advanced technical safeguards with sustained user awareness. 

Additionally, he said that companies should ensure that their FortiGate, FortiClient, and FortiMail deployments are protected by the latest FortiGuard security patches, while channel partners can do the same by providing guidance to customers on how to implement a managed detection and response strategy (MDR) as well as encouraging them to take advantage of training courses such as the free Fortinet Certified Fundamentals (FCF) course in order to strengthen defenses further. 

At Deepwatch, Lauren Rucker, senior cyber threat intelligence analyst, emphasized that browser security is a crucial line of defense against phishing emails that are at the heart of the campaign. In the meantime, the risk of escalation to SYSTEM or TrustedInstaller can be reduced significantly if automatic downloads are restricted and user privilege controls are tightened. As soon as MostereRAT has been installed, it utilizes multiple techniques to undermine computer security. 

As a result of mostereRAT, Microsoft Updates have been disabled, antivirus processes have been terminated, and security software cannot communicate with their servers. By impersonating the highly privileged TrustedInstaller account, the malware escalates privileges, allowing attackers to take over the system almost completely. 

James Maude, the acting chief technology officer at BeyondTrust, explained that the campaign relies on exploiting overprivileged users and endpoints that don't have strong application control as a result of combining obscure scripting languages with trusted remote access tools. 

ManyereRAT is known for maintaining extensive lists of targeted security products, such as 360 Safe, Kingsoft Antivirus, Tencent PC Manager, Windows Defender, ESET, Avira, Avast, and Malwarebytes, among others. This application utilizes Windows Filtering Platform (WFP) filters in order to block network traffic from these tools, effectively preventing them from reaching their vendors' servers to send detection alerts or telemetry. 

In addition, researchers found that another of the malware's core modules, elsedll.db, enabled robust remote access to remote computers by utilizing mutual TLS (mTLS) authentication, and supported 37 distinct commands ranging from file manipulation and payload delivery to screen capture and user identification. It is very concerning that the malware is deliberately installing and configuring legitimate software tools like AnyDesk, TightVNC, and RDP Wrapper to create hidden backdoors for long-term usage. 

To maintain exclusive control over these utilities, attackers stealthily modify the registry, conceal themselves as much as possible, and remain invisible to system users. The experts warn that the campaign represents an important evolution in remote access trojans in that it combined advanced evasion techniques with social engineering as well as legitimate tool abuse to achieve persistent compromise, highlighting the importance of maintaining a high level of security, enforcing strict endpoint controls, and providing ongoing user awareness training in order to avoid persistent compromise. 

There has been a significant evolution in cybercriminal operations, with many campaigns combining technical innovation with thoughtful planning, since the discovery of MostereRAT underscores the fact that cybercriminals have stepped beyond rudimentary malware to create sophisticated campaigns. As a company, the real challenge will be to not only deploy updated security products, but also adopt a layered, forward-looking defense strategy that anticipates such threats before they become a problem. 

A number of measures, such as tightening user privilege policies, improving browser security, as well as increasing endpoint visibility, can help minimize exposure, however, regular awareness programs remain crucial in order to reduce the success rate of phishing lures and prevent them from achieving maximum success. 

Furthermore, by partnering with managed security providers, organizations can gain access to expertise in detection, response, and continuous monitoring that are difficult to maintain in-house by most organizations. It is clear that adversaries will continue to exploit overlooked vulnerabilities and legitimate tools to their advantage in the future, which is why threats like MostereRAT are on the rise. 

In this environment, resilient defenses and cyber capabilities require more than reactive fixes; they require a culture of preparedness, disciplining operational practices, and a commitment to stay one step ahead within the context of a threat landscape that continues to grow rapidly.