MostereRAT: Banking Malware Turned Remote Access Trojan

MostereRAT is a recently identified banking malware that has evolved into a sophisticated remote access trojan (RAT), currently targeting Microsoft Windows users in Japan. It currently remains unclear whether they intend to expand their campaign globally. These attacks typically begin with a phishing campaign designed to establish stealthy, long-term control over victims’ systems.

Behavior Summary

The phishing operation follows a familiar pattern: victims receive malicious emails containing deceptive links. When clicked, these links lead to a harmful website that triggers the download of a Word document embedding an archive file. This document’s primary function is to lay the groundwork for deploying MostereRAT by setting up the necessary infrastructure and persistence mechanisms on the compromised machine.

Uniquely, MostereRAT is developed using Easy Programming Language (EPL), an uncommon choice in malware creation. This decision aims to evade detection, as many security tools are not configured to analyze EPL-based threats effectively.

Once installed, MostereRAT decrypts and executes its payload in multiple stages, operating through two principal modules. The first module manages payload delivery, persistence, privilege escalation, and antivirus evasion. The second module powers the RAT’s core functionalities, which include deploying remote access tools, maintaining secure, mutually authenticated (mTLS) command-and-control communication, and supporting up to 37 distinct commands. (Source: Fortinet)

One of MostereRAT’s most dangerous capabilities is running with “TrustedInstaller” privileges, granting it extensive control to modify system registries, files, and security configurations. Additionally, it can deploy legitimate remote access applications such as TightVNC or AnyDesk on compromised machines, enabling attackers to maintain undetected remote access. The malware is hardcoded with a list of numerous antivirus (AV) and endpoint detection and response (EDR) products, allowing it to locate and disable these defenses. Furthermore, it leverages Windows Filtering Platform (WFP) filters to block security tools from sending out detection alerts and event logs.

MostereRAT’s feature set includes data exfiltration, hidden administrator account creation, keystroke logging, and the sustained use of remote access tools for long-term infiltration.

To mitigate risk, limiting local administrative privileges is crucial, as overprivileged user accounts serve as a common entry point for MostereRAT. Implementing strict application control and vigilant monitoring to detect unauthorized remote access tools can also significantly reduce the attack surface.

DefenseStorm Recommendations

The DefenseStorm team will continue to monitor additional developments and information regarding this emerging threat. All currently available IPs and hashes associated with this threat have been uploaded to the DefenseStorm ThreatMatch feed.

Continuous research is being conducted for all newly discovered or recurring malware and ransomware. As always, DefenseStorm recommends the following practices to help secure your environment:

• Continued internal training for phishing campaigns
• Block threat indicators at their respective controls
• Keep all systems and software updated to the latest patched versions to best protect against all known security vulnerabilities
• Maintain a strong password policy
• Enable multi-factor authentication
• Regularly back up data, air gap, and password backup copies offline
• Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, secure location
• Use app hardening
• Restrict administrative access

Other sources:
https://www.darkreading.com/cyberattacks-data-breaches/mostererat-blocks-security-tools