A Los Angeles-based cybersecurity company identified a new RAT (Remote Administration Tool) advertised on Dark Web and Telegram called Escanor.
Escanor offers PC and Android-based versions of RAT with HVNC module and Exploit Builder to weaponize Microsoft Office and Adobe PDF documents to deliver malicious code.
Escanor has built a reasonable reputation on Dark Web, and attracted over 28,000 subscribers on Telegram.
Mobile version of Escanor (“Esca RAT”) is actively used by Cybercriminals to attack online-banking consumers by interception of OTP codes.
Esca RAT can be used to collect GPS coordinates of the victim, activate hidden cameras, monitor keystrokes, and browse files on remote mobile devices to steal data.
“Fraudsters monitor the location of the target, steal credentials of online-banking platforms and perform unauthorized access from the same device and IP – in such cases fraud prevention teams are not able to detect it and react timely”
– said Ali SaifeldinA malware analyst with Resecurity, Inc. who investigated several recent online-banking theft cases.
Escanor infected the majority of victims in the U.S., Canada, UAE, Kuwait, Bahrain, Egypt, Saudi Arabia, Mexico, Israel, and Singapore with some infections in South-East Asia.