A new remote administration tool (RAT) that uses Microsoft Office and Adobe PDF documents to deliver malicious code has been spotted on dark web forums and Telegram channels called Escanor in an advisory published on Sunday, August 21, 2022.
It should be noted that the first sighting of Escanor dates back to the first month of 2022. The malware is also distributed through a Telegram channel, where it has gained significant traction, approaching 30,000 subscribers.
Additionally, Resecurity found that the domain name used by Escanor had previously been identified in connection with Arid Viper, a group active in the Middle East region in 2015 and known to primarily target Israeli assets.
As for Escanor, most of its victims were identified in the US, Canada, the United Arab Emirates, Saudi Arabia, Kuwait, Bahrain, Egypt, Israel, Mexico, and Singapore, with some infections detected in Southeast Asia.
The Escanor malicious payload is distributed using elaborate PDF and Office files, and it is worth noting that this malware also has a mobile version that works by intercepting one-time passwords sent to users of banking apps known as Esca RAT.