Researchers spotted a new RAT (Remote Administration Tool) advertised in Dark Web and Telegram called Escanor.
The tool has been released for sale on January 26th this year initially as a compact HVNC implant allowing to set up a silent remote connection to the victim’s computer, and later transformed into a full-scale commercial RAT with a rich feature-set.
Escanor has built a credible reputation in Dark Web, and attracted over 28,000 subscribers on the Telegram channel. In the past, the actor with exactly the same moniker released ‘cracked’ versions of other Dark Web tools, including Venom RAT, 888 RAT and Pandora HVNC which were likely used to enrich further functionality of Escanor.
The majority of samples detected recently have been delivered using Escanor Exploit Builder. The actors are using decoy documents imitating invoices and notifications from popular online-services.
