{ "id": "46791b84-6abe-404a-8161-a949f3dbc3f5", "created_at": "2026-04-06T00:17:01.417408Z", "updated_at": "2026-04-10T03:35:34.412212Z", "deleted_at": null, "sha1_hash": "8656c287648618f54643cbcbc9f8aa1c9378d0ee", "title": "German Speakers Targeted by SPAM Leading to Ozone RAT", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2082781, "plain_text": "German Speakers Targeted by SPAM Leading to Ozone RAT\r\nPublished: 2016-08-29 · Archived: 2026-04-05 14:07:15 UTC\r\nRemote Administration Tools (RAT) have been around for a long time. They provide users and administrators with\r\nthe convenience of being able to take full control of their systems without needing to be physically in front of a\r\ndevice. In this age of global operations, that’s a huge deal. From troubleshooting machines across countries to\r\nobserving employees across rooms, RAT solutions have become widely used tools for remote maintenance and\r\nmonitoring.\r\nUnfortunately, malware authors often utilize these same capabilities to compromise systems. Full remote access\r\ncapabilities is a dream tool for the black hat community, and are highly sought after.\r\nAs a case in point, we recently discovered a SPAM campaign targeting German-speaking users that involves a\r\nrelatively new commercialized RAT called Ozone.\r\nGerman-Speaking Social Engineering\r\nIn this report we will take a look at this new SPAM campaign that appears to be targeting German-speaking users.\r\nThe email subject claims to be billing information for “Cable” service, and the attachment contains a Microsoft\r\nWord document.\r\nFig.1 Spam Email with German message\r\nMicrosoft Word documents with malicious downloader Macros are quite common. In this case, however, the\r\nattacker is using a rather old, but possibly still very effective scheme. Attached to the document is a javascript\r\nwith a small thumbnail of what the recipient is intended to assume is their cable bill. It comes with the classic\r\ninstruction to double-click on the image to see it fully. As expected, doing so executes a malicious javascript, and\r\ninitiates the next step in the infection chain.\r\nhttps://www.fortinet.com/blog/threat-research/german-speakers-targeted-by-spam-leading-to-ozone-rat.html\r\nPage 1 of 10\n\nFig.2 Document File with the disguised javascript\r\nThe malicious JavaScript begins to install a fake SSL Certificate, and sets proxies on IE, Chrome, and Mozilla\r\nbrowsers to a remote Proxy Auto Config (PAC) file. The address to the PAC file is a TOR URL (a tool that allows\r\npeople to communicate anonymously on the Internet) that is randomly selected from its hard-coded configuration.\r\nIt allows the system to access the attacker’s TOR site without installing TOR proxy software, by using “.to”\r\n(Tor2Web) and “.link” (Onion Link) URL extensions. These services act as relays between the TOR network and\r\nthe Web.\r\nFig.3 TOR URL config\r\nThis is a very common setup for man-in-the-middle (MITM) attacks. By setting the browser proxies, the attacker\r\ncan lead users to phishing pages like banks, payment sites, credit card companies, etc. It would not be a surprise to\r\nlearn that those pages are registered using the installed fake SSL Certificate to assure users that the sites being\r\naccessed are legitimate and secure.\r\nhttps://www.fortinet.com/blog/threat-research/german-speakers-targeted-by-spam-leading-to-ozone-rat.html\r\nPage 2 of 10\n\nFig.4 Installed Fake SSL Certificate Information\r\nhttps://www.fortinet.com/blog/threat-research/german-speakers-targeted-by-spam-leading-to-ozone-rat.html\r\nPage 3 of 10\n\nFig. 5 Fake Certificate Installed in IE\r\nAs if not satisfied with installing a man-in-the-middle attack, the script then downloads a RAT server.\r\nThe Ozone RAT Server and Core Module\r\nUpon searching for similar samples of the downloaded executable, some versions were found to include debug\r\ninformation pointing to Ozone RAT. The similarities between these samples and the code in our lab suggested that\r\nthe executable is the Ozone RAT’s server component, and was built using the tool. This assumption was further\r\nconfirmed in our tests on the RAT that we discuss later in this article.\r\nIt turns out that this is the “loader-only” version of the server. The core module (DLL), containing all the RAT\r\ncapabilities, needs to be received from the client first. In this case, after informing the client of the server’s\r\nexistence, it then waits for the client to manually initiate the sending of the module.\r\nhttps://www.fortinet.com/blog/threat-research/german-speakers-targeted-by-spam-leading-to-ozone-rat.html\r\nPage 4 of 10\n\nFig. 6 Server must wait for the core DLL from client\r\nOnce the encrypted core module is sent, it is dropped as “data.dbf” to the same path as the server. This is later read\r\nand decrypted in memory for loading. This same file can also be found in the Ozone package.\r\nhttps://www.fortinet.com/blog/threat-research/german-speakers-targeted-by-spam-leading-to-ozone-rat.html\r\nPage 5 of 10\n\nFig. 7 Encrypted and decrypted core module\r\nIt then uses a technique called Reflective DLL Injection, whereby it loads the decrypted module directly from\r\nmemory using the Delphi API BTMemoryModule. This is commonly used for loading libraries directly from the\r\nbinary’s resource. However, in this case, since the module is not from the binary’s actual resource, it’s possibly\r\njust an attempt to hide the module from process inspections since modules loaded this way will not be included in\r\na process’ list of loaded libraries. It’s also possible that it’s just an adaptation of its other version. This is briefly\r\ndiscussed later while discussing the module’s RAT capabilities.\r\nhttps://www.fortinet.com/blog/threat-research/german-speakers-targeted-by-spam-leading-to-ozone-rat.html\r\nPage 6 of 10\n\nOzone RAT\r\nThe Ozone RAT website has been active for a year, offering 2 package options – Standard ($20) and Platinum\r\n($50). The latter offers a lifetime license and bonus features for Crypto Mining and MSWord Exploit builder.\r\nFig.8 Ozone Website\r\nIt was not difficult to find a “modified” version of the application for testing. We got ahold of Ozone 0.55.\r\nAlthough based on the demo video from the website, version 0.60 is already available.\r\nThe Ozone interface has all the characteristics of a typical RAT client - main interface, server builder, and a\r\ncontrol center.\r\nThe main interface shows the status of the running servers and the active ports being used for communication.\r\nFig.9 Main interface shows active connections\r\nBuilding a server component is very simple. One does not need to be an expert to build one and distribute it. As\r\nmentioned earlier, the server has two versions - the “FAT” and the “loader-only” version. The former is bigger\r\n(duh!) because the core module is already included in the server binary as a resource. In this version, it makes\r\nmore sense to use the Reflective DLL Injection version to avoid additional dropped files. In the case of the latter,\r\nas mentioned previously, this can be a process inspection evasion or simply an adaptation of the “FAT” version. It\r\nalso has the option to pack the binary with a simple UPX.\r\nhttps://www.fortinet.com/blog/threat-research/german-speakers-targeted-by-spam-leading-to-ozone-rat.html\r\nPage 7 of 10\n\nFig.10 Builder for the customizable server binary\r\nAll RAT operations that can be executed by the server are in the Control Center interface. This includes everything\r\nfrom simple file operations to fully controlling the system using a remote desktop. Its arsenal is common to RAT\r\napplications, except for the hVNC (or hidden VNC) module. Basically, hidden VNC takes advantage of Windows’\r\nmultiple desktop capability to open a new hidden desktop session for the attacker to control. Since applications\r\nrunning from other desktops are invisible to others, an attacker can control the system and run applications\r\nwithout the user knowing - a very tricky feature to implement.\r\nhttps://www.fortinet.com/blog/threat-research/german-speakers-targeted-by-spam-leading-to-ozone-rat.html\r\nPage 8 of 10\n\nFig.11 Control Center for the RAT operations\r\nAs an attempt to prevent malicious usage, the website includes a list of Terms of Services (TOS), attempting to\r\nscare violators with a “license ban”. Included in the list are the terms, “You are not allowed to use it in malicious\r\nways” and “You are not allowed to send out a bin to another person’s PC's without their permission.” However,\r\nfor a tool intended only for legitimate purposes, but at the same time including an exploit builder and hidden VNC\r\nas features, there’s seems to be a little contradiction between its stated function and its actual functionality.\r\nConclusion\r\nAn important lesson here is that malware actors still use simple, but very effective social-engineering techniques\r\nto get those extra clicks from unaware and untrained users. Also, in this particular case, in addition to an MITM\r\nsetup, a RAT malware is installed in the system. This multiple setup shows how much an attacker desires to take\r\ncontrol of a system.\r\nWith RAT applications like Ozone, one does not need to be an expert to create and distribute malware. Anyone\r\ncan buy Ozone from their websites, or simply download “modified” versions, like what we used in our tests for\r\nthis article. Some are publicly available, and can be attractive to curious minds. Just a few words of caution,\r\nhttps://www.fortinet.com/blog/threat-research/german-speakers-targeted-by-spam-leading-to-ozone-rat.html\r\nPage 9 of 10\n\nthough. This can be a cunning ordeal. These “modified” versions may be the malware themselves. With a lack of\r\nunderstanding how malware schemes work, even before starting your first attack, you may inadvertently become\r\none of the first victims.\r\nFig.12 Keylog from the server installed by the modified Ozone RAT client\r\nIOC’s\r\n70ece9b44f54fa5ac525908da412bf707ce7fae08a8f2b8134f34133df43e982 - W32/OzoneRAT.A!tr\r\n71f1073d0b8aabaf0a2481e9b7c1cd0ca906fee719b45f7d4722d01884c75a17 -JS/Nemucod.C060!tr.dldr\r\n-= FortiGuard Lion Team =-\r\nSource: https://www.fortinet.com/blog/threat-research/german-speakers-targeted-by-spam-leading-to-ozone-rat.html\r\nhttps://www.fortinet.com/blog/threat-research/german-speakers-targeted-by-spam-leading-to-ozone-rat.html\r\nPage 10 of 10", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.fortinet.com/blog/threat-research/german-speakers-targeted-by-spam-leading-to-ozone-rat.html" ], "report_names": [ "german-speakers-targeted-by-spam-leading-to-ozone-rat.html" ], "threat_actors": [ { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "7d8ef10e-1d7b-49a0-ab6e-f1dae465a1a4", "created_at": "2023-01-06T13:46:38.595679Z", "updated_at": "2026-04-10T02:00:03.033762Z", "deleted_at": null, "main_name": "PLATINUM", "aliases": [ "TwoForOne", "G0068", "ATK33" ], "source_name": "MISPGALAXY:PLATINUM", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e61c46f7-88a1-421a-9fed-0cfe2eeb820a", "created_at": "2022-10-25T16:07:24.061767Z", "updated_at": "2026-04-10T02:00:04.854503Z", "deleted_at": null, "main_name": "Platinum", "aliases": [ "ATK 33", "G0068", "Operation EasternRoppels", "TwoForOne" ], "source_name": "ETDA:Platinum", "tools": [ "AMTsol", "Adupib", "Adupihan", "Dipsind", "DvDupdate.dll", "JPIN", "LOLBAS", "LOLBins", "Living off the Land", "RedPepper", "RedSalt", "Titanium", "adbupd", "psinstrc.ps1" ], "source_id": "ETDA", "reports": null }, { "id": "33f527a5-a5da-496a-a48c-7807cc858c3e", "created_at": "2022-10-25T15:50:23.803657Z", "updated_at": "2026-04-10T02:00:05.333523Z", "deleted_at": null, "main_name": "PLATINUM", "aliases": [ "PLATINUM" ], "source_name": "MITRE:PLATINUM", "tools": [ "JPIN", "Dipsind", "adbupd" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434621, "ts_updated_at": 1775792134, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/8656c287648618f54643cbcbc9f8aa1c9378d0ee.pdf", "text": "https://archive.orkl.eu/8656c287648618f54643cbcbc9f8aa1c9378d0ee.txt", "img": "https://archive.orkl.eu/8656c287648618f54643cbcbc9f8aa1c9378d0ee.jpg" } }