Threat Management, Malware, Network Security, Ransomware

ElTest campaign switches payload from ransomware to RAT

A social engineering scam orchestrated by the ElTest hacking group just had its final payload switched from ransomware to a remote access trojan, indicating a possible change in motive, researchers at Palo Alto Networks have reported.

According to a Friday blog post from Palo Alto's Unit 42 threat research team, the malicious campaign was updated in late August to distribute a downloader that installs the commercially available NetSupportManager RAT. Since January 2017, the ElTest scheme had been infecting victims primarily with ransomware such as Spora and Mole, the report continues.

The campaign, which began in December 2016 involves compromising websites to display a fraudulent message urging Google Chrome browser users to update their font package because the "HoeflerText" font wasn't found. Clicking the message's update button downloads the malware.

This particular scam only targets Chrome users. On the other hand, Internet Explorer users who visit these same compromised sites will instead receive a fake anti-virus alert, along with a phone number for a tech support scam.

Bradley Barth

As director of community content at CyberRisk Alliance, Bradley Barth develops content for SC Media online conferences and events, as well as video/multimedia projects. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.