MostereRAT Attacking Windows Systems With AnyDesk/TightVNC to Enable Remote Access

Security researchers have uncovered a sophisticated campaign in recent weeks leveraging a novel Remote Access Trojan (RAT) dubbed MostereRAT that targets Windows systems by deploying legitimate remote access tools such as AnyDesk and TightVNC.

The malware’s emergence represents a significant evolution from earlier banking trojans, combining social engineering with advanced evasion techniques to establish covert full-system control.

The initial vector relies on highly localized phishing emails masquerading as business communications, which direct victims to a malicious website hosting a Word document containing a hidden archive.

Upon opening the document, the embedded payload quietly installs most RAT components without alerting standard security tooling.

MostereRAT’s developers have adopted a multi-stage delivery approach to obscure its true nature.

The executable, based on a wxWidgets sample, decrypts additional modules bundled within its resource section using a simple subtraction cipher keyed by the character “A.”

Once extracted to C:ProgramDataWindows, these components are orchestrated via a custom RPC client that bypasses public SCM APIs to create services running under SYSTEM privileges.

Fortinet analysts identified the use of mutual TLS (mTLS) for C2 communications, ensuring that network traffic remains encrypted and authenticated in both directions, thereby thwarting interception or impersonation attempts.

During execution, MostereRAT installs two services—WpnCoreSvc (auto-start) and WinSvc_32263003 (demand start)—to guarantee persistence across reboots and on-demand operations.

Fortinet researchers noted that the malware disables critical Windows security processes and services, including SecurityHealthService.exe, wuauserv, and UsoSvc, while modifying registry policies to prevent updates and hide notifications.

By terminating or hijacking these security mechanisms, the threat maintains a foothold without triggering alerts from antivirus or EDR solutions.

Infection and Decryption Mechanism

The infection mechanism commences when the victim executes the first-stage executable, document.exe, which unpacks and decrypts the primary modules.

The decryption routine applies a byte-wise subtraction of the value 0x41 (‘A’) to each encrypted byte in the resource blob:-

for (size_t i = 0; i < length; ++i) {
    decrypted[i] = encrypted[i] - 0x41;
}

This trivial yet effective cipher conceals the RAT’s logic from cursory analysis. Once decrypted, the modules maindll.db and elsedll.db are loaded directly into memory.

The maindll.db module interprets parameters ranging from channel-8df91be7c24"a" to channel-8df91be7c24"e" to execute tasks such as persistence, privilege escalation, and task scheduler manipulation.

Conversely, elsedll.db establishes multiple threads to handle keystroke logging, screenshot capture, and RMM tool deployment via TightVNC and AnyDesk.

Upon establishing a secure connection to its C2 servers over ports 9001 and 9002, the RAT periodically retrieves configuration files encrypted with an embedded RSA private key.

After successful decryption and version verification via SHA-256 hash comparison, the malware seamlessly updates itself, ensuring continued functionality and resilience.

This continual upgrade capability exemplifies the threat’s high level of sophistication and underlines the importance of comprehensive monitoring and user education to defend against such multifaceted attacks.

Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.