BruteRatel C4 (BRc4)

“abuse legitimate services like file-hosting services and business profile pages…”, “downloaded a ZIP file… from Dropbox”, “received a JavaScript file from Firebase”

campaigns using RaccoonO365 have been active since September 2024. These attacks typically mimic trusted brands like Microsoft, DocuSign, SharePoint, Adobe, and Maersk in fraudulent emails, tricking them into clicking on lookalike pages that are designed to capture victims' Microsoft 365 usernames and passwords.

“The emails contained a PDF attachment…”, “The email contained a hyperlink that directed users to download a malicious Excel file.”

“outcome depended on whether their system and IP address were allowed… If access was restricted, the user received a benign PDF… as a decoy to evade detection” | “The malicious PDF attachment contained an embedded URL. If the attachment was opened and the URL clicked, a ZIP file was downloaded from Dropbox.” | “embedded DoubleClick URL that redirected users to a Rebrandly URL shortening link… redirected… to a landing site that displayed a fake DocuSign page”

“If executed, this JavaScript file downloaded…”, “If the user opened the Excel file… enable macros…”, “If launched by the user, the .lnk file uses PowerShell…”

Earlier this April, the Redmond-based company warned of several phishing campaigns leveraging tax-related themes to deploy malware such as Latrodectus, AHKBot, GuLoader, and BruteRatel C4 (BRc4). The phishing pages, it added, were delivered via RaccoonO365

“displayed a fake DocuSign page hosted on a domain masquerading as DocuSign… .lnk files set up to mimic tax documents.”

“Latrodectus… features dynamic command-and-control (C2) configurations…”, “Both Looper and Screenshotter used the C2 IP address 181.49.105[.]59”