A new spam campaign is targeting German-speaking users with a man-in-the-middle (MitM) setup and the Ozone remote access tool (RAT).
First detected by Floser Bacurio Jr. and Joie Salvio of cybersecurity firm Fortinet, the campaign sends users spam mail that masquerades as billing information for cable services.
Bacurio and Salvio note this step helps the scammers launch secondary attacks against the user:
“This is a very common setup for man-in-the-middle (MITM) attacks. By setting the browser proxies, the attacker can lead users to phishing pages like banks, payment sites, credit card companies, etc. It would not be a surprise to learn that those pages are registered using the installed fake SSL Certificate to assure users that the sites being accessed are legitimate and secure.”
The remote administration tool can be purchased for as little as 20 USD on the dark web. For only 30 USD more, users can obtain a lifetime license to the malware, which behaves like Adwind, DroidJack, and other RATs in that it gains complete control over, or “slaves,” an infected computer. Ozone also has the ability open a hidden desktop session and secretly run applications.
But that’s not all Ozone has up its sleeve. It’s not just interested in what the target is doing. It’s curious about the buyer’s activities, too. That’s why some modified versions of the RAT come with a keylogger that secretly monitors a purchaser’s every keystroke.
Clearly, computer criminals are bundling RATs with other tricks such as MitM setups to get the most out of their victims. That’s why users need to be on the lookout for suspicious emails and attachments and never click on something they don’t trust.