Security researchers have come across a cybercriminal campaign targeted at high-profile organizations from Asia and Europe, particularly companies in the mining, telecoms, finance and government sectors.
According to Symantec, the attackers use emails entitled something like “Obama Releases Three Declassified Spying Docs,” “U.S. Consul General Hart Arrives in Hong Kong” or “UK-Northern Ireland-Japan InfoSec Agreement” to trick recipients into installing a new version of the Java remote access tool (RAT) known as Frutas (Backdoor.Opsiness).
The malicious emails come with two files attached: a PDF document that’s used as a decoy, and a .jar file that hides the RAT.
Once the .jar file is executed, the threat starts harvesting the infected device’s MAC and IP address, username, location, operating system information, and Java version. Then, it connects to a command and control (C&C) server.
The Frutas RAT isn’t designed to cause too much damage. Instead, it’s used for gathering intel for future targeted attacks.
Symantec says it’s seeing a growing trend in the use of Frutas for targeted attacks.