Published: October 16, 2022 on our newsletter Security Fraud News & Alerts Newsletter.
Cybersecurity researchers at Resecurity have found a remote administration tool (RAT) called “Escanor” that is actually Android and PC-based malware. Escanor weaponizes both Microsoft Office and Adobe PDF files where it hides its malicious code for attacks against banking institutions around the world. Truly bad enough as it is, it’s also where Escanor was found and who is suspected behind it that makes this RAT even more divisive than it appears.
Resecurity found Escanor hiding in relatively plain sight, for sale on the dark web since early this year. They also find Escanor’s domain name “escanor[.]live” is linked to cyberespionage groups Molerats and Apt-C-23. Both hacking units have known links to Hamas cyberwarfare group, the Palestinian terrorist organization. It’s believed likely that other hacking groups are also operating under the Escanor umbrella.
Reportedly, devices infected by Escanor are located in the U.S., Canada, Israel, Saudi Arabia, Egypt, Bahrain, the United Arab Emirates, Singapore, and Mexico. This RAT also has a version available for mobile devices.
Escanor the RAT
This remote access tool is well-known on the dark web, and its 28,000+ Telegram subscribers help ensure Escanor’s popularity. Security Affairs finds this spyware goes into high-gear using parts of other “cracked” hacking tools found on the dark web that provide additional functions to the spyware.
Resecurity says of Escanor “The tool can be used to collect GPS coordinates of the victim, monitor key strokes, activate hidden cameras, and browse files on the remote mobile devices to steal data…” These functions, along with potentially even more tools added for infecting Microsoft Office and Adobe PDF files, at the very least gives attackers what they need to compromise financial institutions.
Security Affairs found Escanor’s mobile version, also called “Escape-RAT” can intercept OTPs (one-time passwords) from online banking users that verify their identity. Once verified, the attacker has control of the victim’s account, allowing them to release the espionage malware. It too has the spying abilities of Escanor, adding to it browsing files for valuable data and activating hidden cameras.
How to Avoid
Keeping your company’s banking details private and safe from prying RATS like Escanor doesn’t take acts of heroism. In fact, simply making sure files are legitimate and therefore safe before opening them is all it takes. Be particularly aware of Microsoft Office docs and Adobe PDF files used with Escanor, but remember all types of documents can be used to carry other malware, too. If necessary, don’t hesitate to directly contact the file sender for verification the file is safe. Taking a minute or two to validate a file is legitimate is well worth the time. That’s especially true when compared to the time and resources a company would expend recovering from an Escanor attack.
Keep up to date: Sign up for our Fraud alerts and Updates newsletter
Want to schedule a conversation? Please email us at advisor@nadicent.com