Remote Access Trojans Targets IND, US, UK Finance Dept Employees

by February 3, 2016 0 comments

NEW DELHI, INDIA: Attackers have been spreading two families of remote access Trojans (RATs) to small businesses in India, the UK, and US since the start of 2015, according to a latest threat report by Symantec. The attackers have been targeting employees responsible for accounts and fund transfers in order to steal money from affected organizations.

Operating with few resources and relying on social engineering rather than exploits, attackers have used two publicly available RATs − Backdoor.Breut and Trojan.Nancrat. However, despite these limitations, they have the potential to gain a huge amount of control over victim computers due to the malware’s multi-purpose capabilities.

Modus Operandi

The attackers spread the RATs by sending emails from spoofed or stolen accounts. The majority of the messages are sent in the afternoon during Greenwich Mean Time (GMT) or morning during Eastern Standard Time (EST). This suggests that the attackers are based in Europe or the US. The subjects of their messages relate to finance in order to lure employees that have access to the targeted organizations’ accounts. Some examples include, Re:Invoice, PO, Remittance Advice, Payment Advise, Quotation Required etc.

The emails include archive file attachments, usually with the .zip extensions. If the target opens the file, then their computer is infected.

What the attackers can access

Through these infections, the attackers can access the webcam and microphone, log keystrokes and more. The attackers have been using the targeted employee’s privileged access to transfer money to an account under their control.

Once a computer is compromised, the attackers spend time assessing it to find out how to steal the money. In some cases, attackers have been known to even download manuals to figure out how to use certain financial software. After they are finished with the computer, they return to sending emails to other targets. This suggests that there are a small number of attackers involved in these campaigns.


As the attackers in this case use basic social-engineering tactics in their campaigns, users should adhere to the following advice to avoid compromises in the first place:

  • Do not open attachments or click on links in suspicious email messages
  • Avoid providing any personal information when answering an email
  • Never enter personal information in a pop-up web page
  • Keep security software up to date


No Comments so far

Jump into a conversation

No Comments Yet!

You can be the one to start a conversation.

Your data will be safe!Your e-mail address will not be published. Also other data will not be shared with third person.