Researchers have recently identified a new malspam campaign that delivers the Wacatac Trojan. Attackers compressed an executable in different types of archive file attachments. If potential victims extract and execute those attachments, they will most likely become infected. The campaign began on August 21, 2020 and is still ongoing up to today August 31. The involved spams attract victims’ attention using important banking information as an email subject. Many of them attach a RAR archive file, but it could also be an ACE archive.
On Windows platforms, if the victim opens it, regsvcs.exe will start and, in turn, trigger a process to gather the user’s personal information on the file system. Here’s the infection process.
At the same time, it also establishes a communication session between a remote controller (i.e. 220-cpanel-02.wlink.com.np or 250-cpanel-02.wlink.com.np) and the infected device via Extended Simple Mail Transfer Protocol (ESMTP). This connection is supposedly used by the remote controller(s) to take control of the infected device.