Threat Research

Multilayered Email Attack: How a PDF Invoice and Geo-Fencing Led to RAT Malware

Fortinet
EXTRACT IOC
A new sophisticated email campaign distributes Ratty RAT via phishing emails exploiting legit email services and file-sharing platforms. It uses evasion techniques like geolocation filtering and Ngrok tunnels, targeting users primarily on Windows systems with Java installed. (Affected: Windows, Linux, macOS, Email users, Organizations in Spain, Italy, Portugal)

Keypoints :

  • The campaign targets Windows primarily, but also Linux and macOS if Java is installed.
  • Emails are sent using the legitimate Spanish email service, serviciodecorreo.es, bypassing SPF checks.
  • Phishing emails contain a PDF attachment posing as an invoice, using social engineering to prompt user action.
  • The PDF directs victims to download an HTML file hosting the attack’s next stage via Dropbox.
  • The HTML file uses CAPTCHA-like validation and redirects to Ngrok-generated URLs for obfuscated tunneling.
  • Ngrok URLs employ geo-filtering: only users from Italy are served the malicious JAR payload.
  • The malicious JAR file contains Ratty RAT, a Java-based Remote Access Trojan allowing full remote control.
  • Attackers abuse legitimate file-sharing services (MediaFire, Google Drive, Dropbox) to evade detection.
  • Fortinet products like FortiGate, FortiMail, and FortiSandbox provide multi-layered detection and mitigation.
  • Recommendations include keeping AV updated, user security awareness training, and phishing simulations to reduce risk.

MITRE Techniques :

  • Spearphishing Attachment (T1566.001) – Malicious PDF attachment used for initial compromise via email.
  • User Execution (T1204) – Victims tricked into clicking links and executing the malicious JAR file.
  • Download Remote Files (T1105) – Use of Dropbox, MediaFire, and Ngrok to host and deliver malware.
  • Obfuscated Files or Information (T1027) – Use of Ngrok tunnels and geo-fencing to evade detection.
  • Valid Accounts (T1078) – Abuse of legitimate email service authorized by SPF to bypass filters.
  • Remote Access Tools (T1219) – Ratty RAT providing remote control capabilities.
  • Credential Dumping (T1003) – RAT capabilities include keylogging and credential theft.
  • Command and Control (T1071) – Ngrok used to create hidden C2 communication channels.
  • Masquerading (T1036) – Naming conventions and legitimate platforms used to disguise malware and phishing links.
  • Phishing (T1566) – Social engineering via fake invoices to deceive users.

Indicator of Compromise :

  • The article identifies IP addresses used for C2 communication, including 143.47.53.106 and 199.232.214.172.
  • Domains like jw8ndw9ev[.]localto[.]net and l5ugb6qxh[.]localto[.]net are mentioned as part of the infrastructure.
  • The SHA256 hash of the malicious JAR file is provided, useful for antivirus detection and forensic analysis.
  • URLs from trusted file-sharing services (Dropbox, MediaFire, Google Drive) act as download vectors for malware.
  • Use of Ngrok-generated URLs for obfuscated phishing links is a key behavioral IOC.

Read more: https://feeds.fortinet.com/~/917966249/0/fortinet/blog/threat-research~Multilayered-Email-Attack-How-a-PDF-Invoice-and-GeoFencing-Led-to-RAT-Malware

Views: 31

Tags: EMAIL, EXPLOIT, TOOL, PAYLOAD, VIRUS, CREDENTIAL, SOCIAL ENGINEERING, WINDOWS