Recently, the website “Hoax Slayer” pointed us to a spammed email message that warns users of a Tsunami and encourages them to click on a link to watch a video. The article, which the cybercriminals made to look like it came from “news.com.au”, claims that experts have predicted that a Tsunami will hit Australia on New Year’s Eve.
The “watch now” link connects to {BLOCKED}be.us and downloads a file that pretends to be an AVI in a ZIP archive. In actual, “sunami_australian_agency_of_volcanology_and_seismology.avi.pif is a malicious file which Trend Micro detects as BKDR_DOKSTORMC.A.
Based on our analysis, this backdoor connects to {BLOCKED}s117.no-ip.org, which resolved to {BLOCKED}.{BLOCKED}.13.114 (but currently resolves to {BLOCKED}{BLOCKED}.116.223). It remains unclear who is behind the attack and what the motivation may be.
The malware is a Remote Access Trojan (RAT), known as Arcom RAT, and it is sold on underground forums for $2000.00. However, there are many forum posts complaining that the said RAT is overpriced. There are also free cracked versions available for download from a variety of sources.
Arcom RAT was reportedly authored by “princeali” who has been actively coding RATs and malware for about a decade. The alias “princeali” is connected to a group known as NuclearWinterCrew which created the infamous NuclearRAT.
Previously, Trend Micro has reported attacks that lead to RATs such as Xtreme RAT, which targeted various government institutions, JACKSBOT, Nitro, and PlugX among others.
Trend Micro protects users from this threat via the Smart Protection Network™ that detects the said malware.
