FortiGuard Labs identified a phishing campaign targeting Japanese users that deploys a multi-stage Remote Access Trojan called MostereRAT, which leverages Easy Programming Language (EPL), service and scheduled task persistence, and deployment of legitimate remote-access tools to achieve full system control. The malware uses advanced evasion including AV/EDR traffic blocking via Windows Filtering Platform, running as TrustedInstaller, and mTLS-protected C2 communications. #MostereRAT #EPL
Keypoints
- Phishing emails lure Japanese users to download a Word document that contains an embedded ZIP archive and a single instruction to run the contained executable.
- The initial executable (document.exe) decrypts bundled tools with a simple SUB operation and places components under C:ProgramDataWindows before creating stealthy services and scheduled tasks for persistence.
- One stage of the malware is written in Easy Programming Language (EPL) and uses EPK files and an EPK launcher (krnln.fnr) to load modules in memory.
- MostereRAT can escalate to TrustedInstaller by duplicating tokens (SeDebugPrivilege) and launching processes with full system privileges (code reused from NSudo).
- The malware contains lists of AV product paths and names, creates WFP filters to block security product network traffic, and explicitly terminates or disables Windows update/security services and files.
- Command-and-control supports HTTP ports 9001/9002 for upgrades and mTLS over TCP port 8000 for a rich C2 protocol with a magic number, versioning, and up to 37 commands to run EPK/DLL/EXE/shellcode, deploy AnyDesk/TightVNC/Xray, and manage users and RDP settings.
- IOCs include numerous C2 domains and a long SHA-256 file hash; Fortinet detections and protections (FortiGuard AV, CDR, IP Reputation, FortiGate/FortiClient/FortiEDR) block the threat.
MITRE Techniques
- [T1566] Phishing â Initial access via phishing emails crafted for Japanese users to click malicious links and download an infected Word document (âphishing emails designed to lure Japanese users into clicking on malicious linksâ).
- [T1204] User Execution â Victim instructed to open embedded archive and run contained file (âopen an embedded archive and run the only file it containsâ).
- [T1105] Ingress Tool Transfer â Downloads additional payloads from C2 (ports 9001/9002) and via libcurl from specified URLs (âdownloaded payload is verified using a SHA-256 hash before the new version is executedâ).
- [T1543] Create or Modify System Process â Creates services like âWpnCoreSvcâ and âWinSvc_â using a custom RPC client that interacts with the SCM, bypassing standard APIs (âCreateSvcRpcâŚcommunicates with the ntsvcs named pipe to interact with the Windows Service Control Manager⌠resulting service runs with SYSTEM-level privilegesâ).
- [T1053] Scheduled Task â Registers scheduled jobs âMicrosoftWindowswinrshostâ and âMicrosoftWindowswinresumeâ for persistence (âXML file defining the scheduled jobs is loaded from resources. It registers the jobsâŚâ).
- [T1086] PowerShell / Scripting â Uses EPL runtime and EPK launcher to execute compiled EPL modules and calls exported functions like getVersion (âexecution starts by obtaining command-line arguments⌠LoadEPKFromCmdLine in krnln.fnrâ).
- [T1134] Access Token Manipulation â Enables SeDebugPrivilege, duplicates SYSTEM and TrustedInstaller tokens, and launches processes as TrustedInstaller (âenables SeDebugPrivilege and duplicates its own process token⌠then starts the TrustedInstaller service and duplicates its tokenâ).
- [T1499] Endpoint Denial of Service / Disable Security Tools â Terminates security processes, stops services, deletes system files, and removes scheduled tasks to disable Windows security features (âterminates processes such as âSecurityHealthService.exeâ⌠deletes âWaaSMedicSvc.dllâ and âwuaueng.dll’â).
- [T1573] Encrypted Channel / T1573.001 (mTLS) â Uses mutual TLS with embedded client key/cert and CA cert for C2 communication (âcommunication is secured through mutual TLS (mTLS), utilizing an embedded client key, client certificate, and CA certificateâ).
- [T1090] Proxy â Deploys and runs remote access/proxy tools (AnyDesk, Xray, TightVNC) to enable attacker control (âLoad configuration from resources and launch TightVNC, Xray⌠launch AnyDeskâ).
- [T1106] Native API â Bypasses standard service creation APIs using a custom RPC client that uses the ntsvcs named pipe (âCreateSvcRpcâŚdirectly communicates with the ntsvcs named pipe⌠bypassing standard APIs such as OpenSCManager, CreateServiceâ).
- [T1497] Virtualization/Sandbox Evasion â Uses EPL compiled format, in-memory loading, and custom launchers to hide behavior and evade analysis (âEPK launcher⌠module is then loaded into memory and its exported function âgetVersionâ is calledâ).
- [T1027] Obfuscated Files or Information â Encrypts bundled toolset and modules using a SUB operation before decryption at runtime (âdata is decrypted using a simple SUB operation with the key value of âA’â).
- [T1071] Application Layer Protocol â C2 uses HTTP on custom ports (9001/9002) for configuration and payload retrieval (âhttp://{C2 Domain}:9001/9001.conf http://{C2 Domain}:9002/9002.confâ).
Indicators of Compromise
- [Domain ] C2 and malicious download domains used in campaign â www.efu66.comm, mostere.com, huanyu3333.com (and several other obfuscated/concatenated domains listed in article).
- [File Hash ] Payload SHA-256 â d281e41521ea88f9⌠(long SHA-256 hash provided in article).
- [File Name ] Suspicious file names used by stages â document.exe (initial drop), svchost.exe (malicious EPK), svchost.db, maindll.db, elsedll.db.
- [Registry ] Persistence/hiding artifacts â HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogonSpecialAccountsUserList entry âVâ added to hide account (used to hide created admin account).
- [Service/Task ] Created persistence artifacts â Services âWpnCoreSvcâ, âWinSvc_â, and scheduled tasks âMicrosoftWindowswinrshostâ and âMicrosoftWindowswinresumeâ.