RuRAT malware is being installed as part of a malicious drive; the malware allows remote access to affected devices. The attackers are masking as a venture capital firm looking to invest money or buy the victim’s site. 

An IP address of a U.K virtual server company was used to send a spear-phishing email to BleepingComputer recently. The email stated that the sender was a venture capitalist who wanted to buy the media agency’s site.

  • The email directed the receiver to contact Philip Bennett, an agent, through the Vuxner application.
  • Researchers tracked a vuxner[.] com site by Googling it; Researchers said that the site advertises Vuxner Chat as a free secure instant messaging service
  • When the VuxnerChat[.]exe file is installed, it also brings in some additional malware, including RuRAT, onto the computer.
  • The VuxnerChat[.]exe file installation also installs some other files, including malware RuRAT onto the computer
  • RuRAT can be used for initial access to a system, taking control, searching for credentials and sensitive data, and spreading laterally across a network.

The infection chain consists of several stages.

It starts with the decoy URL drops and installs Trillian software

Once the Vuxner Trillian client is installed and exited, an installer plants a genuine remote desktop software known as RuRATSetup[.]exe and executes it

Afterwards, a C:\ swrbldin folder is generated on the victim machine, having different batch files, VBS scripts, and other files that are needed to install RuRAT.

Attackers are using new ways, false claims, to trap targeted users into installing malware. So, the professionals must always watch out for suspicious emails and report it to their security team. Further, one should never download email attachments without scanning or screening the attachment.