Recent HTML Deception Campaign Distributes DCRat Malware to Russian-Speaking Users
Russian-speaking individuals have become targets in a fresh campaign circulating a trojan named DCRat (also known as DarkCrystal RAT) using a method referred to as HTML smuggling.
This development signifies the first instance where this malware has been employed through this technique, departing from previously witnessed delivery methods such as compromised or counterfeit websites, or phishing emails containing PDF attachments or macros-infested Microsoft Excel files.
“HTML smuggling predominantly serves as a vehicle for delivering payloads,” mentioned Netskope researcher Nikhil Hegde noted in a study released on Thursday. “The payload may be inserted within the HTML code itself or retrieved from an external source.”
Consequently, the HTML file can be spread via fake websites or malspam campaigns. Once the file is launched through the user’s web browser, the hidden payload gets decoded and downloaded onto the system.
The attack then relies on a degree of social manipulation to persuade the user to open the malevolent payload.
Netskope reported the existence of HTML pages impersonating TrueConf and VK in Russian that, when accessed through a web browser, automatically download a password-protected ZIP archive to the disk in an effort to evade detection. The ZIP archive contains a nested RarSFX archive that ultimately leads to the deployment of the DCRat malware.
Initially launched in 2018, DCRat can operate as a comprehensive backdoor that can be paired with additional add-ons to broaden its capabilities. It can carry out shell commands, record keystrokes, and extract files and credentials, among others.
It is advised for organizations to inspect HTTP and HTTPS traffic to ensure that there are no connections with malicious domains.
This occurrence coincides with Russian businesses being singled out by a threat grouping named Stone Wolf to infect them with Meduza Stealer by sending deceptive emails pretending to originate from a legitimate provider of industrial automation solutions.
“Attackers persist in utilizing archives containing both malicious content and genuine attachments to divert the attention of the victim,” BI.ZONE stated. By exploiting the names and information of real entities, perpetrators have a higher likelihood of deceiving individuals into downloading and revealing harmful attachments.”
This trend follows the emergence of malevolent campaigns possibly leveraging generative artificial intelligence (GenAI) to generate VBScript and JavaScript code responsible for disseminating AsyncRAT via HTML smuggling.
“The composition of the scripts, comments, and selection of function names and variables provided strong indications that the threat actor utilized GenAI to produce the malware,” HP Wolf Security explained. “This activity displays how GenAI is hastening attacks and lowering the barrier for cybercriminals to infect devices.”
About Author
