14 DAY TRIAL // An interesting variant of TorRAT, a piece of malware often used by cybercriminals to steal users’ online banking credentials, has been spotted in the wild.
According to researchers from security firm Trusteer, a spam campaign powered by TorRAT is currently targeting Dutch users.
Once it infects a computer, the malware launches a man-in-the-browser (MitB) attack. It injects a piece of JavaScript code into the victim’s Twitter page in an attempt to harvest authentication tokens.
These tokens are then utilized to gain unauthorized access to the accounts and abuse them to post tweets on the victims’ behalf.
The tweets contain malicious links and they read something like this (in Dutch):
“Our new King William will earn even more than Beatrix. Check his salary”
“Beyonce falls during the Super Bowl concert, very funny!!!!”
Trusteer says it hasn’t been able to analyze the malicious websites because the links distributed by the malware are inactive. However, experts believe the websites have most likely been designed to push the malware onto victims' computers.
For the time being, only users from the Netherlands appear to be targeted, but considering that Twitter is utilized by internauts worldwide, others are at risk as well.
Businesses should also be concerned about this type of attacks. Trusteer recommends organizations to turn to enterprise exploit prevention solutions that are capable of blocking such threats.
“This type of attack increases the need for enterprise exploit prevention technology: By blocking the exploitation of vulnerable endpoint user applications, like browsers, and preventing the malware download, exploit prevention technology stops the attack and prevents the malware from spreading and infecting more users,” Trusteer’s Dana Tamir noted.
“External sources like web content and email attachments, which can include a hidden exploit in the form of embedded code, should never be trusted.”