Security researchers have identified a new campaign targeting financial institutions and government agencies with a custom version of one remote access tool called 'Proyecto RAT'.
According to the Trend Micro report, attack is primarily targeted at South American organizations, especially in Colombia. The infection starts with a customized E-mail sent to the target by open or infringing mail servers in the South American region.
The email contains one RTF attachment file and tempting message to draw the attention of users.
The attachment contains shorten links that direct victims to file sharing services. The delivery file is a macro-enabled MHTML file. The macrocode is responsible for receiving and executing the payload, Immediate Monitor RAT.
Monitor RAT monitors all network activities and includes information to perform the second stage of the payload. Imminent Monitor RAT supports a wide range of monitoring activities including espionage on keyboards, file transfer, screen shot capture, and audio recording.
The second stage of the payload is "Proyecto RAT" which uses the yopmail email service for C & C communication.
Researchers believe that "Proyecto RAT" is either an old and limited version of the Xpert RAT, or a customization of Xpert RAT or a malware based on the Xpert RAT source code.