MostereRAT: The New Trojan Using Legitimate Tools to Attack

Researchers at FortiGuard Labs have documented a new campaign deploying the MostereRAT remote access trojan, which targets Windows systems and leverages legitimate tools such as AnyDesk and TightVNC to maintain covert access.

The attack is delivered through carefully crafted phishing emails aimed at Japanese users, enticing them to open a “document” containing an embedded archive. Inside lies an executable named document.exe, built from a GitHub sample and disguised with images of celebrities, beneath which the encrypted payload is concealed.

Upon execution, the malware unpacks its components into the C:\ProgramData\Windows directory, including files written in Easy Programming Language (EPL) that require the krnln.fnr library. The use of EPL complicates analysis, as such frameworks are rarely encountered.

The first critical library, maindll.db, ensures persistence, bypasses security solutions, and elevates privileges. Scheduled tasks named Microsoft\Windows\winrshost and Microsoft\Windows\winresume are created to run under SYSTEM and administrator accounts. In some cases, the TrustedInstaller account is invoked to grant maximum privileges. The code incorporates techniques from the NSudo project, enabling token cloning and the execution of new processes with full control.

The second module, elsedll.db, provides the core remote administration capabilities. It connects to command-and-control servers over mTLS and supports 37 commands, including file upload and download, program execution, screenshot capture, and user information collection. Communications follow a structured format, beginning with the fixed “magic number” 1234567890, followed by the packet length and command identifier.

Particularly notable is the malware’s strategy for disabling security tools. The code enumerates paths and names of popular antivirus products, including Windows Defender, ESET, Avast, Avira, Malwarebytes, and Chinese solutions such as 360 Safe, Kingsoft, and Tencent Security. Their activity is suppressed using Windows Filtering Platform (WFP) filters, which block telemetry and alert traffic to vendor servers.

The final stage of the attack involves installing legitimate remote access software. AnyDesk, TightVNC, and RDP Wrapper are configured to provide attackers with privileged access, while their presence is concealed through registry edits and window-masking techniques. This allows operators to maintain persistence even if parts of the malicious toolkit are detected.

Taken together, MostereRAT exhibits a significant evolution over earlier trojans. Its blend of social engineering, use of a little-known programming language, unconventional service manager interaction via a custom RPC client, and reliance on legitimate administration tools makes it exceptionally resilient. FortiGuard experts advise organizations to closely monitor unexpected installations of remote access software, keep security solutions up to date, and strengthen employee awareness of phishing threats to minimize the risk of such intrusions.

Support Our Threat Intelligence

If you find our technology report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy