Escanor malware delivered in militarized Microsoft Office documents


Resecurity, a Los Angeles-based cybersecurity company protecting the Fortune 500 globally, has identified a new RAT (remote administration tool) advertised in Dark Web and Telegram called Escanor. Threat actors offer Android and PC-based versions of RAT, as well as the HVNC module and exploit generator to weaponize Microsoft Office and Adobe PDF documents to deliver malicious code.

The tool went on sale on January 26 of this year, initially as a compact HVNC implant to establish a silent remote connection to the victim’s computer, and then upgraded to a large-scale commercial RAT. scale with a rich set of features. Escanor has built a credible reputation on the Dark Web and has attracted over 28,000 subscribers on the Telegram channel. In the past, the actor with the exact same moniker has released “cracked” versions of other Dark Web tools, including Venom RAT, 888 RAT, and Pandora HVNC, which were likely used to augment other features of Escanor.

The mobile version of Escanor (also known as “Esca RAT”) is actively used by cybercriminals to attack online banking customers by intercepting OTP codes. The tool can be used to collect victim’s GPS coordinates, monitor keystrokes, activate hidden cameras and browse files on remote mobile devices to steal data.

mobile version

“Fraudsters monitor the location of the victim and leverage Esca RAT to steal credentials from online banking platforms and perform unauthorized access to the compromised account from the same device and IP – in this case, the fraud prevention teams are unable to detect and respond to it in a timely manner,” said Ali Saifeldin, malware analyst at Resecurity, Inc., which has investigated several recent cases of bank theft in line.

The majority of recently detected samples were delivered using Escanor Exploit Builder. Actors use decoy documents that mimic bills and notifications from popular online services.


In particular, the domain name ‘escanor[.]live’ has already been identified in relation to the AridViper framework (APT-C-23 / GnatSpy). APT-C-23 as a group was active in the Middle East region, known in particular for targeting Israeli military assets. After Qihoo 360 published the report, actor Escanor RAT released a video detailing how the tool can be used to bypass AV detection.

The majority of victims infected with Escanor have been identified in the United States, Canada, United Arab Emirates, Saudi Arabia, Kuwait, Bahrain, Egypt, Israel, Mexico and Singapore, with some infections in Asia from the South East.


About Author

Comments are closed.