MostereRAT Deployed AnyDesk/TightVNC for Covert Full Access www.fortinet.com/blog/thre…

FortiGuard Labs recently discovered a phishing campaign that uses social engineering as its initial vector and propagation methods to facilitate the spread of the threat. Additionally, MostereRAT employs more advanced and sophisticated techniques, such as incorporating an EPL program as one stage of the campaign, hiding the service creation method, blocking AV solution traffic, running as TrustedInstaller, using mTLS, and switching to legitimate remote access tools like AnyDesk, tightVNC, and RDP Wrapper to control the victim’s system.

Although part of the attack flow and its C2 domains were mentioned in a 2020 public report as being associated with a banking trojan, the malware has since evolved into a Remote Access Trojan (RAT) that we now call MostereRAT.