Escanor RAT Creeps on the Dark Web
A research team with security company Resecurity discovered a new malicious tool being distributed on the dark web. The new malware is a remote admin tool that was dubbed Escanor.
The earliest sighting of Escanor dates back to the first month of 2022. The malware is distributed through a Telegram channel as well, where it has gained significant traction, approaching 30 thousand subscribers.
The malicious payload of Escanor is distributed using doctored Office and PDF files. The malware also has a mobile version that works by intercepting single-use passwords sent to banking application users. The mobile version of the malware is known under the alias Esca RAT.
In addition to being used for banking fraud and potential theft, Esca RAT can monitor the GPS location of the infected device, log keystrokes from it and exfiltrate files.
The RAT is associated with a threat actor known by the alias AridViper, which targeted entities located in Israel in the past.
The new victims infected with the Escanor have been located all over the globe, including the Americas, the United Arab Emirates, Bahrain, Mexico and Singapore.