RATicate Group Hits Industrial Firms With Revolving Payloads
According to researchers, a new threat group called RATicate is targeting industrial companies with revolving payloads and is behind several malspam attacks against companies such as LokiBot, Agent Tesla, Netwire, FormBook, and BetaBot. Researchers have attributed at least six separate campaigns to the group, with the first starting in November and the most recent in March.
The campaigns all leveraged Nullsoft Scriptable Install Systems (NSIS), to create Windows installers and eventually drop remote access trojans on targeted systems. NSIS is a legitimate open-source tool intended to create Windows installers. The most recent campaign capitalizes on the current COVID-19 pandemic to convince victims to open payloads, representing a shift in tactics.