Researchers with Resecurity shared screenshots of a Remote Access Trojan (RAT) called Escanor, which is actively being sold via a Telegram channel by the same name, operated by a Telegram user account called HAX_CRYPT.
There are two versions of the RAT: one which targets Windows and a mobile version known as Esca RAT that targets Android devices. The Windows RAT is delivered via malicious Microsoft Word, Excel, PDF, or HTML5 files to install a Hidden VNC (HVNC) client, allowing the malware operator to interact with the victim computer remotely through a full graphical remote desktop. The Android RAT can track the victim’s device location, activate the camera, and capture one-time-password (OTP) codes sent by banks or other institutions over text messages to protect customer logins.
The same threat actor who sells Escanor has also sold cracked versions of other hacking tools, including Venom RAT, Cobalt Strike 4.6, and Security Killer HVNC.
Binary Defense Analysts researched the history of messages on the Escanor Telegram channel and noted that most of the items are sold for low prices, around 50 to 100 USD, using a variety of cryptocurrency transactions. HAX_CRYPT posted screenshots of alleged conversations with people buying the software, including a message from one user interested in the PDF exploit who said “Your pdf exploit builder looks good. I could get thousands of thousands of victims from that pdf exploit.”
Because of the low prices and ease of accessibility, it is reasonable to expect that a wide variety of criminal threat actors at many skill levels will make use of this malware to gain access to victim computers and mobile devices. Corporate security teams and individuals should continue to be aware of suspicious email attachments and links to download Excel, Word, PDF, and HTML files. A strong endpoint security solution, coupled with Security Analysts monitoring endpoint devices for suspicious events, remains the best way to avoid disruptive and costly computer intrusions.