Escanor Remote Access Trojan in action

A new RAT has been seen on the dark web weaponizing Microsoft Office and Adobe PDF documents to deliver malicious code, dubbed Escanor.

The threat actors offer Android-based and PC-based versions of RAT, along with a hidden virtual network computing module and exploit builder to weaponize Microsoft Office and Adobe PDF documents to deliver malicious code.

Initially designed and released as an HVNC implant in early 2022, the malware simply allowed attackers to set up a silent remote connection to the victim’s computer. The tool later evolved into a full-scale commercial RAT with a rich feature set.

As for the mobile version of Escanor the malware is reportedly actively used by cyber-criminals to attack online-banking customers by interception of one-time password (OTP) codes.

Escanor can be used to collect GPS coordinates of the victim, monitor keystrokes, activate hidden cameras, and browse files on remote mobile devices to steal data.

Researchers warned that the domain name used by Escanor had been previously identified in connection to Arid Viper, a group active within the Middle Eastern region in 2015 and known to mainly target Israeli military assets.

Most of its victims were identified in the U.S., Canada, UAE, Saudi Arabia, Kuwait, Bahrain, Egypt, Israel, Mexico, and Singapore with some infections spotted in South-East Asia.

This research was done and documented by researchers from Resecurity