Amnesia RAT, ransomware spread in new Russia-targeted phishing campaign

Attacks with Amnesia RAT and ransomware have been deployed against Russian users as part of a novel multi-stage phishing campaign, reports The Hacker News.

Threat actors have exploited social engineering to distribute business-themed archives with decoy documents and an illicit Windows LNK file, which facilitates the retrieval of a next-stage PowerShell script that functions as an initial loader for persistence and clandestine compromise, according to findings from Fortinet FortiGuard Labs. After obtaining the necessary permissions, the malware moves to prevent Microsoft Defender scans via exclusion configuration, PowerShell exploitation, and defendnot deployment, while performing environment reconnaissance, deactivating Windows administrative and diagnostic tools, and adopting a file association takeover mechanism before eventually launching Amnesia RAT and a Hakuna Matata ransomware-derived payload.

Amnesia RAT, which was fetched from Dropbox, enables extensive data exfiltration from browsers, cryptocurrency wallets, and other apps, such as Telegram and Discord, while the ransomware allows document, source code, and application asset encryption. "This attack chain demonstrates how modern malware campaigns can achieve full system compromise without exploiting software vulnerabilities," said researcher Cara Lin.