Parallax RAT Sets Aim at Cryptocurrency Organizations
Category: Malware Campaign | Industry: Financial Services | Level: Tactical | Source: Uptycs
Malicious phishing and spam emails are targeted cryptocurrency entities to distribute Parallax remote access trojan (RAT). Uptycs' tracking of Parallax found the RAT to be active since December 2019, armed with capabilities to read login credentials, view files, gather keystrokes, and gain remote desktop control. Recent campaigns the Uptycs Threat Research team observed involve a two-stage attack with the first payload using employs process hollowing to embed the second payload within valid processes to achieve stealth and adding itself to the startup folder to obtain persistence. The second payload a 32-bit binary executable proceeds to collect system and host data. The attackers can also leverage the malware to engage in communication with the victim using Notepad and instruct them to connect to a Telegram channel. Lastly, the RAT is able to power off or restart the compromised system and erase artifacts with a VBS script.
- Executable/Injected Process Creates C2/Modifies System
Anvilogic Use Cases:
- Executable Process from Suspicious Folder
- Execution from Startup Folder
- Network Connection with Suspicious Folder