RATty Remote Access Trojan Spreads via PDF Invoices — Bypasses Security Scanners on Windows, Mac, and Linux
Security researchers uncovered a sophisticated multi-stage phishing campaign using malicious PDF invoices to deliver the RATty Remote Access Trojan. The attack leverages Dropbox and Ngrok infrastructure to bypass traditional email security scanners and infects Windows, Linux, and macOS systems.
How the Attack Works
The RATty campaign uses a multi-stage delivery technique designed to evade traditional email security. The attack begins with a phishing email that appears to be a routine invoice from a known vendor — the subject lines are typically "Invoice #XXXXX — Payment Due" or "Past Due Invoice — Action Required." The email body is brief and professional, containing a PDF attachment described as the invoice. The PDF itself is not directly malicious — it contains a link that appears to be a "View Invoice Online" button. When the user clicks the link, they are taken to a Dropbox or Ngrok-hosted page that appears to be a legitimate invoice portal. The page then prompts the user to download a "PDF viewer" or "document plugin" to view the invoice. The downloaded file is the RATty Remote Access Trojan, which installs itself on the victim's system and establishes a persistent backdoor to attacker-controlled infrastructure.
Why This Bypasses Traditional Email Security
Traditional email security scanners primarily analyze attachments for known malicious signatures and examine links against blocklists of known malicious domains. The RATty campaign is designed to defeat both of these protections. The initial PDF attachment contains no malicious code — it is a clean PDF with a link to a Dropbox or Ngrok URL. These are legitimate services that are not on any blocklist. The malicious payload is not delivered via the email at all — it is downloaded from Dropbox or Ngrok after the user clicks the link. This means the email passes through all security scanners without detection. The actual malware is only downloaded when the user interacts with the PDF, at which point the email security system is no longer involved. HP Wolf Security found that this technique successfully bypassed email filtering in 73% of test environments using traditional signature-based email security.
Cross-Platform Infection
RATty is a cross-platform Remote Access Trojan with variants for Windows, macOS, and Linux. The Windows variant is delivered as a .exe file disguised as a PDF viewer plugin. The macOS variant is a .dmg file that appears to be a legitimate document viewer application. The Linux variant is a shell script that downloads and executes the RATty payload. Once installed, RATty provides the attacker with full remote access to the victim system including screen capture, keystroke logging, file access, webcam control, and microphone recording. The malware also includes modules for stealing credentials from browsers, password managers, and SSH key files. RATty communicates with attacker infrastructure using encrypted channels over common ports (443 and 8080) to blend in with normal HTTPS traffic.
Defending Against PDF-Based Malware Delivery
The most effective defense against this attack is to block or heavily scrutinize links to Dropbox, Ngrok, and other file hosting services in email attachments. If your email security system supports URL rewriting, configure it to rewrite all links in incoming emails and scan the destination before allowing the user to access it. Implement advanced email sandboxing that actually opens PDF attachments and follows embedded links in an isolated environment before delivering the email to the user. Train employees to verify invoices by calling the vendor at a known phone number before clicking any links or downloading any files. Deploy EDR with behavioral detection on all endpoints including Mac and Linux — signature-based antivirus will not detect new RATty variants. Segler.Net can review your email security configuration and implement advanced sandboxing controls.
- Block Dropbox and Ngrok links at your email gateway unless explicitly approved for business use
- Implement advanced email sandboxing that detonates PDF attachments and analyzes embedded links before delivery
- Train employees to never click links in PDF attachments from unknown senders — verify invoices by calling the vendor directly
- Deploy EDR with behavioral detection on all endpoints including Mac and Linux systems — this attack is cross-platform
- Segler.Net can review your email security configuration and implement sandboxing to stop PDF-based malware delivery
Need Help With This Threat?
Our San Antonio security team can assess your exposure, apply patches, and protect your business before attackers strike.
Stay ahead of the next threat
Get weekly security alerts — breaches, patch updates, compliance news, and threat intel — delivered free to your inbox every week.