Attackers Targeting German Users with MitM Setup, Ozone RAT

A new spam campaign is targeting German-speaking users with a man-in-the-middle (MitM) setup and the Ozone remote access tool (RAT).

First detected by Floser Bacurio Jr. and Joie Salvio of cybersecurity firm Fortinet, the campaign sends users spam mail that masquerades as billing information for cable services.

The message comes with a Microsoft Word attachment that contains malicious JavaScript and a thumbnail of what appears to be a cable bill. When a user clicks on the thumbnail, the JavaScript code executes.

Document File with the disguised javascript (Source: Fortinet)

Two things happen next. First, the JavaScript installs a fake SSL certificate and sets proxies for most popular web browsers to a remote Proxy Auto Config (PAC) file. That PAC, which is actuality a Tor URL, allows the infected computer to interact with the attacker’s Tor site without installing the anonymizing service’s proxy software.

Bacurio and Salvio note this step helps the scammers launch secondary attacks against the user:

“This is a very common setup for man-in-the-middle (MITM) attacks. By setting the browser proxies, the attacker can lead users to phishing pages like banks, payment sites, credit card companies, etc. It would not be a surprise to learn that those pages are registered using the installed fake SSL Certificate to assure users that the sites being accessed are legitimate and secure.”

Second, the JavaScript downloads an executable for Ozone RAT.

Ozone Website (Source: Fortinet)

The remote administration tool can be purchased for as little as 20 USD on the dark web. For only 30 USD more, users can obtain a lifetime license to the malware, which behaves like Adwind, DroidJack, and other RATs in that it gains complete control over, or “slaves,” an infected computer. Ozone also has the ability open a hidden desktop session and secretly run applications.

But that’s not all Ozone has up its sleeve. It’s not just interested in what the target is doing. It’s curious about the buyer’s activities, too. That’s why some modified versions of the RAT come with a keylogger that secretly monitors a purchaser’s every keystroke.

Keylog from the server installed by the modified Ozone RAT client (Source: Fortinet)

Clearly, computer criminals are bundling RATs with other tricks such as MitM setups to get the most out of their victims. That’s why users need to be on the lookout for suspicious emails and attachments and never click on something they don’t trust.