Nimbus RAT: How Threat Actors Are Abusing Microsoft Teams and Google Drive to Deploy a Java RAT

MITRE Techniques

• [T1598.002 ] Phishing for Information: Spearphishing Voice – The actors used Microsoft Teams vishing to impersonate IT support and trick the victim into granting access (‘an actor-controlled Microsoft Teams account posing as IT helpdesk reached out to the user offering assistance’).
• [T1114.001 ] Inbox Rules – Email Bombing / Mailbox Flooding – The victim’s mailbox was flooded with subscription emails to create urgency and a believable pretext (‘the mailbox received 282 emails in 90 minutes’).
• [T1219 ] Remote Access Software – The victim was walked through launching Quick Assist to provide remote control to the attacker (‘the user was walked through launching Quick Assist’).
• [T1105 ] Ingress Tool Transfer – The payload was downloaded from a compromised Microsoft 365 tenant and extracted locally (‘the threat actor deployed a payload from a compromised Microsoft 365 tenant’).
• [T1059.003 ] Command and Scripting Interpreter: Windows Command Shell – The operator ran reconnaissance and other actions through cmd.exe (‘executed LOLBins for reconnaissance purposes via Command Prompt’).
• [T1059.006 ] Command and Scripting Interpreter: JavaScript / Java / JAR execution – Nimbus RAT was a Java-based implant executed via javaw.exe and a JAR file (‘javaw.exe executes InboxCorePro.jar – Nimbus RAT active’).
• [T1106 ] Native API – The implant invoked Windows APIs through JNA, including real credential prompts and system enumeration (‘invoke the real Windows CredUIPromptForCredentialsW API directly via JNA’).
• [T1056.002 ] GUI Input Capture – The malware displayed fake or real credential prompts to capture user credentials (‘a Java Swing imitation of the Windows Security credential prompt’).
• [T1021 ] Remote Services – The user granted interactive remote access through Quick Assist, enabling the operator to control the host (‘the user launched Quick Assist from Windows Explorer’).
• [T1112 ] Modify Registry – Persistence was staged through a registry import file and registry operations (‘pre-staged a registry import file’).
• [T1048.003 ] Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol? – Not applicable; removed due to article specifics.
• [T1053.005 ] Scheduled Task/Job: Startup Items – Persistence was established through a Startup folder launcher (‘they placed a launcher in the Startup folder’).
• [T1102.001 ] Web Service: Dead Drop Resolver – Nimbus RAT used Pastebin for operator instructions and Google Drive/Sheets for command delivery (‘Google Drive and Google Sheets for command-and-control’).
• [T1027 ] Obfuscated Files or Information – The malware used randomized package names and encrypted configuration/traffic to hinder analysis (‘randomized nonsense English words as a deliberate obfuscation layer’).
• [T1021.004 ] Remote Services: SSH/Remote Desktop? – Not applicable; removed due to article specifics.
• [T1105 ] Ingress Tool Transfer – The actor used Pastebin-linked instructions to direct payload download and staging (‘The Pastebin pointed to a ZIP archive named InboxCorePro.zip’).
• [T1071.001 ] Application Layer Protocol: Web Protocols – C2 traffic blended into normal Google API traffic over Google Drive and Google Sheets (‘all network traffic appear as legitimate Google API calls’).
• [T1573 ] Encrypted Channel – All C2 traffic was RSA-encrypted with a hardcoded public key (‘All C2 traffic is RSA-encrypted using a hardcoded 4096-bit public key’).
• [T1059.006 ] Command and Scripting Interpreter: Java – The implant compiled and ran attacker-supplied Java source in memory (‘in-memory Java compile and run’).
• [T1021.006 ] Remote Services: Windows Remote Management – Not applicable; removed due to article specifics.
• [T1105 ] Ingress Tool Transfer – The second-stage tool was recovered from a Drive folder and configured for exfiltration (‘a configuration file recovered from the threat actor’s Drive’).