Escanor RAT Malware Deployed Via Microsoft Office and PDF Documents

Written by

A new remote administration tool (RAT) weaponizing Microsoft Office and Adobe PDF documents to deliver malicious code was spotted in dark web forums and Telegram channels.

The malware was discovered by security researchers at Resecurity over the weekend and dubbed Escanor in an advisory published on Sunday, August 21, 2022.

“The threat actors offer Android-based and PC-based versions of RAT, along with a hidden virtual network computing (HVNC) module and exploit builder to weaponize Microsoft Office and Adobe PDF documents to deliver malicious code,” reads the document.

According to the Resecurity team, the RAT was first released for sale on January 26, 2022. Initially designed as an HVNC implant, the malware simply allowed attackers to set up a silent remote connection to the victim’s computer. The tool later evolved into a full-scale commercial RAT with a rich feature set. 

“Escanor has built a credible reputation in dark web, and attracted over 28,000 subscribers on the Telegram channel,” Resecurity wrote.

“In the past, the actor with the exact same moniker released ‘cracked’ versions of other dark web tools, including Venom RAT, and Pandora HVNC which were likely used to enrich further functionality of Escanor.”

As for the mobile version of Escanor (dubbed ‘Esca RAT’), the malware is reportedly actively used by cyber-criminals to attack online-banking customers by interception of one-time password (OTP) codes.

“The tool can be used to collect GPS coordinates of the victim, monitor keystrokes, activate hidden cameras and browse files on the remote mobile devices to steal data,” reads the advisory.

Further, Resecurity warned that the domain name used by Escanor had been previously identified in connection to Arid Viper, a group active within the Middle Eastern region in 2015 and known to mainly target Israeli military assets.

As for Escanor, the majority of its victims were identified in the U.S., Canada, UAE, Saudi Arabia, Kuwait, Bahrain, Egypt, Israel, Mexico and Singapore with some infections spotted in South-East Asia.

What’s hot on Infosecurity Magazine?