Suspected Pakistani actor modifies its custom remote access trojan with nefarious new capabilities

Rhea-AI Summary

Black Lotus Labs, the threat intelligence arm of Lumen Technologies (NYSE: LUMN), has identified modifications to the ReverseRat remote access trojan, now dubbed ReverseRat 2.0. This enhanced version gains access to webcams and USB-connected devices, evading antivirus detection. It primarily targets victims in Afghanistan, India, Iran, and Jordan, with malicious documents masquerading as United Nations meeting agendas. Black Lotus Labs has null-routed the threat infrastructure and advises organizations to stay vigilant against such attacks.

Positive

• Black Lotus Labs mitigated potential threats by null-routing the attacker's infrastructure.
• The proactive identification of ReverseRat 2.0 enhances Lumen's reputation in cybersecurity.

Negative

• The emergence of ReverseRat 2.0 highlights ongoing cybersecurity vulnerabilities in critical sectors.
• New capabilities of the trojan pose increased risks to organizations, potentially leading to data breaches.

DENVER, Aug. 11, 2021 /PRNewswire/ -- Black Lotus Labs, the threat intelligence arm of Lumen Technologies (NYSE: LUMN), today announced that ReverseRat – the remote access trojan it discovered just six weeks ago – has been modified with new capabilities targeting new victims.

ReverseRat 2.0 gains access to webcams and USB-connected devices while evading anti-virus detection.

Threat Assessment

After discovering and issuing its initial ReverseRAT research, Black Lotus Labs continued to track the threat actor, which had previously targeted government and energy-sector organizations in India and Afghanistan. Some of the new discoveries include:

• Victims were lured by a .pdf file that looked like an agenda for a United Nations meeting on organized crime. The document itself appears to have been fabricated as the UN Journal lists no such meeting on that topic during this timeframe.
• Most of the organizations that appeared to be targeted by the new "ReverseRat 2.0" were in Afghanistan, with a handful in Jordan, India and Iran.
• The first iteration of ReverseRat relied on Allakore, an open-source RAT, to run parallel to the custom framework. ReverseRat 2.0 replaced AllaKore altogether with a new agent called NightFury.
• ReverseRat 2.0 introduced new, more intrusive capabilities including:
• Taking photos via the infected computer's webcam and stealing files from any device connected to the compromised machine via a USB port.
• Techniques to evade detection by Kaspersky or Quick Heal antivirus (AV) products if either were detected on the host machine.

Black Lotus Labs Response and Recommendations

• To combat this campaign, Black Lotus Labs null-routed the threat actor infrastructure across the Lumen global IP network and notified the affected organizations.
• Black Lotus Labs continues to follow this threat group to detect and disrupt similar compromises, and we encourage other organizations to alert on this and similar campaigns in their environments.
• Given the nature of the critical sectors the actor is targeting, Black Lotus Labs advises security practitioners to learn the actor's current tactics, tools and procedures (TTPs) to better defend their organizations against potential attacks.
• Anyone interested in collaborating on similar research can contact Black Lotus Labs on Twitter @BlackLotusLabs.

Additional Resources

• For additional IOCs such as file hashes associated with this campaign, and for this threat actor's larger activity cluster, please visit the Black Lotus Labs blog. 
• To catch up on Black Lotus Labs's ReverseRat research, visit the first blog published in June 2021.

About Lumen Technologies:

Lumen is guided by our belief that humanity is at its best when technology advances the way we live and work. With approximately 450,000 route fiber miles and serving customers in more than 60 countries, we deliver the fastest, most secure platform for applications and data to help businesses, government and communities deliver amazing experiences.

Learn more about the Lumen network, edge cloud, security, communication and collaboration solutions and our purpose to further human progress through technology at news.lumen.com/home, LinkedIn: /lumentechnologies, Twitter: @lumentechco, Facebook: /lumentechnologies, Instagram: @lumentechnologies and YouTube: /lumentechnologies. Lumen and Lumen Technologies are registered trademarks in the United States. 

 

View original content to download multimedia:https://www.prnewswire.com/news-releases/suspected-pakistani-actor-modifies-its-custom-remote-access-trojan-with-nefarious-new-capabilities-301352897.html

SOURCE Lumen Black Lotus Labs

FAQ

What is ReverseRat 2.0 related to Lumen Technologies (LUMN)?

ReverseRat 2.0 is a modified remote access trojan identified by Black Lotus Labs, a division of Lumen Technologies, that targets organizations primarily in Afghanistan and other regions.

How does ReverseRat 2.0 compromise security?

ReverseRat 2.0 can access webcams and USB devices while evading antivirus detection, posing serious security threats.

What actions has Lumen Technologies taken regarding ReverseRat 2.0?

Lumen's Black Lotus Labs has null-routed the threat actor's infrastructure and warned affected organizations to enhance security measures.

What regions are primarily affected by ReverseRat 2.0?

The primary targets of ReverseRat 2.0 include organizations in Afghanistan, India, Iran, and Jordan.

What are the implications of the discovery of ReverseRat 2.0 for investors in Lumen Technologies (LUMN)?

The discovery of ReverseRat 2.0 emphasizes the ongoing cybersecurity risks Lumen Technologies is addressing, which could impact its market perception and investor confidence.