The increase of affordable malware “meal kits,” priced at less than $100, is driving a surge in remote access Trojan (RAT) campaigns, frequently concealed within seemingly legitimate Excel and PowerPoint attachments in emails. HP Wolf Security has unveiled its “Q3 2023 Threat Insights Report,” which highlights a substantial increase in Excel files containing DLLs infected with the Parallax RAT. These files masquerade as authentic invoices, but when opened, they trigger the malware, as explained by HP’s senior malware analyst, Alex Holland. The Parallax RAT malware kits are readily available for $65 per month on underground hacking forums.
HP’s report also reveals cybercriminals targeting prospective attackers with malware kits like XWorm, which are hosted in apparently legitimate repositories, such as GitHub. Furthermore, new RATs, including DiscordRAT 2.0, have recently emerged, according to researchers.
Remarkably, a significant 80% of the observed threats during the quarter originated from email-based attacks. Intriguingly, some proficient cybercriminals are now turning their attention to novices within RAT campaigns.
The Rise of Parallax
The HP report highlights that the Parallax RAT has catapulted from the 46th most favored payload in the second quarter of 2023 to the seventh spot in the subsequent quarter. According to Holland, this represents a substantial upswing in attackers exploiting this file format for malware distribution.
In one instance, researchers detected a Parallax RAT campaign employing a “Jekyll and Hyde” tactic, where two concurrent threads execute when a user opens a scanned invoice template. One thread opens the file as expected, while the other clandestinely runs malware in the background, rendering it challenging for users to discern an ongoing attack, as described in the report.
Notably, Parallax RAT had previously been linked to various malware campaigns at the outset of the pandemic, as detailed in a March 2020 blog post by Arnold Osipov, a malware researcher at Morphisec. Osipov affirmed its capabilities to bypass advanced detection solutions, steal credentials, and execute remote commands.
Osipov, speaking to Dark Reading, acknowledged that he had not witnessed the specific surge in Parallax attacks reported by HP. Nevertheless, he noted that RATs, in general, have posed an increasing threat in 2023.
RATs on the Rampage
Multiple spikes in RAT activity include an incident in July when Check Point Research highlighted a rise in Microsoft Office files harboring the Remcos RAT, first identified in 2016. Many of these malicious files were discovered on counterfeit websites crafted by threat actors.
Another RAT-based campaign gaining momentum is Houdini, which conceals Vjw0rm JavaScript malware. Houdini is a decade-old VBScript-based RAT that is now readily obtainable on hacking forums, exploiting OS-based scripting features.
It’s crucial to note that threats stemming from Houdini and Parallax may dwindle with Microsoft’s plan to deprecate VBScript. Microsoft recently announced that VBScript will only be accessible in future Windows releases upon request and will eventually be phased out. However, Holland cautioned that while this is favorable news for defenders, attackers will adapt and turn their attention to alternative methods.
Holland anticipates a shift towards formats that will remain supported on Windows, such as PowerShell and Bash, and also expects attackers to focus on innovative obfuscation techniques to circumvent endpoint security using these coding languages in the future.