German users are being hit by a newly discovered spam campaign dropping malevolent MS Office documents, which install a copy of the Ozone Remote Access Trojan (RAT) and a rogue certificate onto the victims` PCs.
With what this particular spam wave differs from the many others is that it doesn’t rely on the classic macro-laced Office docs. Instead, it uses a much older technique which hasn’t been observed for quite a while.
Once executed the JS five installs a local Proxy Auto-Config (PAC) file, which takes over the local Internet connection proxy settings of the users. This PAC file is downloaded from a Tor URL via a Tor2Web proxy service like onion.to.
After, the malicious JS file downloads a rogue Comodo certificate necessary for the upcoming Man-in-the-Middle (MitM) attack to disguise and sign malicious traffic.
Finally, the JS file downloads the last required thing – a copy of the Ozone RAT. Ozone was first noticed over a year ago and its authors are currently selling it only for $50 the platinum package and $20 the standard package.
The Ozone RAT established the connection between the hackers and their targets. By installing it onto the victims` PCs, crooks connect to the local copy and gain complete control over the victims` machines, searching for important and worthy data.
The Ozone official webpage states that they are offering a “legal” RAT product. Purchasing it, the RAT comes together with a password dumber, a hidden startup routine, a keylogger and a remote access feature. It is also able to hide its actions, download and run other files if needed and access the remote PC’s webcam.
Moreover, the RAT also has its own file manager, an app manager, a process manager and a boot persistence feature.
Taking a good look at all these features, which are usually found in illegitimate spyware programs used for malicious actions, it appears that the Ozone RAT is no as legal as the website presents it to be.
“With RAT applications like Ozone, one does not need to be an expert to create and distribute malware. Anyone can buy Ozone from their websites, or simply download ‘modified’ versions.” – Fortinet’s security experts Joie Salvio and Floser Bacurio Jr. say – “Just a few words of caution, though. This can be a cunning ordeal. These ‘modified’ versions may be the malware themselves. With a lack of understanding how malware schemes work, even before starting your first attack, you may inadvertently become one of the first victims.”