[MART] - Daily Diary #578 - Meet Escanor, a New RAT for Sale

ctas-mat at appgate.com ctas-mat at appgate.com
Mon Aug 22 20:11:08 UTC 2022


Hello,

I hope everyone is doing well!

Below is the entry for today.

08/22/2022 - Diary entry #578:

Recently, a Remote Access Trojan (RAT) was discovered being advertised on the Dark Web and on Telegram. Named “Escanor”, it started as a simple HVNC (Hidden Virtual Network Computing) implant that evolved into a commercial RAT after other tools (Venom RAT, and Pandora HVNC) were released by the same threat actor. It’s believed that Escanor has been active since January this year.

Escanor is distributed via malicious documents disguised as invoices and notifications from popular services. So far, Escanor has been identified in the U.S., Canada, UAE, Saudi Arabia, Kuwait, Bahrain, Egypt, Israel, Mexico, Singapore, and South-East Asia.

Moreover, there is also a mobile version of Escanor named “Esca RAT” that intercepts One-Time Password (OTP) codes from banking applications. Esca RAT is capable of collecting GPS coordinates, monitoring keystrokes, activating hidden cameras, and browsing files to steal data.

Despite being a new threat, Escanor RAT has already attracted over 28,000 subscribers on their Telegram channel. Therefore, Escanor is yet another example of why online banking application users should be careful downloading and executing unknown files or apps from unofficial sources.

Kind Regards,

[https://d3aafpijpsak2t.cloudfront.net/images/Signature/logo@2x.png]<https://www.appgate.com/>

[https://d3aafpijpsak2t.cloudfront.net/images/Signature/likedin@2x.png]<https://www.linkedin.com/company/appgate-security/>     [https://d3aafpijpsak2t.cloudfront.net/images/Signature/twitter@2x.png] <https://twitter.com/AppgateSecurity>   [https://d3aafpijpsak2t.cloudfront.net/images/Signature/youtube@2x.png] <https://www.youtube.com/channel/UC-8GvxcZbm-R3EJNl8jYjiQ>



Felipe Tarijon de Almeida
Malware Analyst
Appgate

E: felipe.tarijon at appgate.com<mailto:felipe.tarijon at appgate.com>


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.immunityinc.com/pipermail/mart/attachments/20220822/f4176491/attachment.htm>


More information about the MART mailing list