Malware 'Meal Kits' Serve Up No-Fuss RAT Attacks

The wider availability of turnkey cyberattack kits in the criminal underground is leading to a glut of campaigns using remote access Trojans (RATs).

3 Min Read
Truncated Rainbow Above a Parallax Field
Source: RGB Ventures/SuperStock via Alamy Stock Photo

A rise in the availability of malware "meal kits" for less than $100 is fueling a surge in campaigns using remote access Trojans (RATs), which are often embedded in seemingly legitimate Excel and PowerPoint files attached to emails.

That's according to HP Wolf Security, which published its "Q3 2023 Threat Insights Report" today, observing a significant spike in Excel files with DLLs infected with the Parallax RAT. The files appear to recipients as legitimate in invoices, which, when clicked, launch the malware, according to HP senior malware analyst Alex Holland. Parallax RAT malware kits are available for $65 a month on hacking forums, he adds.

Cybercriminals have also targeted aspiring attackers with malware kits such as XWorm, hosted in seemingly legitimate repositories such as GitHub, according to HP's report. Others, such as those featuring the new DiscordRAT 2.0, have also recently emerged, according to researchers.

Holland emphasized that 80% of the threats that it saw in its telemetry during the quarter were email-based. And in an interesting wrinkle, some cybercriminals appear to be going after their own, with savvy attackers targeting inexperienced ones in some RAT campaigns.

Parallax Rising

According to the HP report, Parallax RAT jumped from the 46th most popular payload in the second quarter of 2023 to seventh in the following quarter. "That's a really big spike in attackers using this file format to deliver their malware," Holland says.

For instance, researchers spotted one Parallax RAT campaign running a "Jekyll and Hyde" attack: "Two threads run when a user opens a scanned invoice template. One thread opens the file, while the other runs malware behind the scenes, making it harder for users to tell an attack is in progress," according to the report.

Parallax was previously associated with various malware campaigns during the outset of the pandemic, according to a March 2020 blog post by Arnold Osipov, a malware researcher at Morphisec. "It is capable of bypassing advanced detection solutions, stealing credentials, executing remote command," Osipov wrote at the time.

Osipov tells Dark Reading now that he hasn't seen the specific rise in attacks using Parallax that HP is reporting, but that overall, RATs have become a growing threat in 2023.

RATs Infest the Cyberattack Scene

Various upticks in RAT activity include one in July, when Check Point Research pointed to an increase in Microsoft Office files infected with a RAT known as Remcos, which first appeared in 2016. Many of these malicious files have appeared on fake websites created by the threat actors. 

Another RAT-based campaign that’s on the rise that HP underscored is Houdini, which conceals Vjw0rm JavaScript malware. Houdini is a 10-year-old VBScript-based RAT now easily attainable in hacking forms that exploit OS-based scripting features. 

It's worth noting that the threats from Houdini and Parallax may be short-lived now that Microsoft plans to deprecate VBScript. Microsoft announced earlier this month that VBScript will only be available in future releases of Windows, will only be available on demand, and ultimately will no longer be available. 

However, while Holland says that while that's good news for defenders, attackers will move on to something else.

"What we expect in the future is that attackers will switch from VBScript malware, and possibly even JavaScript malware, to formats that will continue to be supported on Windows — things like PowerShell and Bash," he says. "And we also expect that attackers will focus more on using interesting or novel obfuscation techniques to bypass endpoint security using these coding languages."

About the Author(s)

Jeffrey Schwartz, Contributing Writer

Jeffrey Schwartz is a journalist who has covered information security and all forms of business and enterprise IT, including client computing, data center and cloud infrastructure, and application development for more than 30 years. Jeff is a regular contributor to Channel Futures. Previously, he was editor-in-chief of Redmond magazine and contributed to its sister titles Redmond Channel Partner, Application Development Trends, and Virtualization Review. Earlier, he held editorial roles with CommunicationsWeek, InternetWeek, and VARBusiness. Jeff is based in the New York City suburb of Long Island.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights