A new phishing scheme is targeting Russian-speaking individuals, employing an open-source tool called Gophish to distribute DarkCrystal RAT (also known as DCRat) and an undocumented remote access trojan named PowerRAT.
In an analysis published on Tuesday, Cisco Talos researcher Chetan Raghuprasad mentioned that the campaign utilizes adaptable infection sequences, which can be either Maldoc-based or HTML-based, requiring user interaction for activation.
The decision to target Russian-speaking users was based on the language used in the phishing emails, the content of the deceptive documents, links posing as Yandex Disk (“disk-yandex[.]ru”), and HTML pages disguised to resemble VK, a popular social network in Russia.
Gophish is a free phishing platform that enables companies to test their defenses by utilizing straightforward templates and initiating email-based operations that are traceable in real-time.
The unidentified threat actor responsible for the campaign has been observed using the toolkit to dispatch phishing emails to their targets and subsequently distribute either DCRat or PowerRAT, depending on the initial attack vector employed: a malicious Word document or an HTML file with embedded JavaScript.
Upon opening the malicious Word document and enabling macros, a deceptive Visual Basic (VB) macro is triggered to extract an HTML application (HTA) file (“UserCache.ini.hta”) and a PowerShell loader (“UserCache.ini”).
This macro is tasked with configuring a Windows Registry key so that the HTA file automatically launches each time the user logs into their device.
The HTA file, in turn, releases a JavaScript file (“UserCacheHelper.lnk.js”) responsible for executing the PowerShell Loader, with the JavaScript being executed through a legitimate Windows executable called “cscript.exe.”
Raghuprasad elaborated, stating, “The PowerShell loader script, disguised as the INI file, includes a base64 encoded data blob of the PowerRAT payload, which is decoded and executed in the victim’s machine memory.”
In addition to conducting system reconnaissance, the malware acquires the drive serial number and establishes connections with servers in Russia (94.103.85[.]47 or 5.252.176[.]55) to receive further directives.
“[PowerRAT] is equipped to run additional PowerShell scripts or commands as instructed by the command-and-control server, potentially expanding the attack surface for additional infections on the victim’s system.”
In scenarios where no response is received from the server, PowerRAT possesses a feature that decodes and executes an embedded PowerShell script. To date, none of the scrutinized samples contain Base64-encoded strings, indicating that the malware is actively evolving.
The alternative infection path that utilizes HTML files embedded with nefarious JavaScript initiates a complex process leading to the deployment of DCRat malware.
“After clicking on the malevolent link in the phishing email, an HTML file with malicious JavaScript opens on the victim’s browser and simultaneously triggers the JavaScript,” as observed by Talos. “The JavaScript embeds a Base64-encoded data blob of a 7-Zip archive containing a malevolent SFX RAR executable.”
Contained within the archive file (“vkmessenger.7z”) – downloaded via HTML smuggling – is a password-protected SFX RAR file containing the RAT payload.
It should be noted that the detailed progression of the infection was outlined by Netskope Threat Labs concerning a campaign using counterfeit HTML pages imitating TrueConf and VK Messenger to dispense DCRat. Moreover, the utilization of an embedded self-extracting archive has been previously detected in campaigns distributing SparkRAT.
“The SFX RAR executable contains the malicious loader or dropper executables, batch file, and a decoy document in certain instances,” Raghuprasad remarked.
“GOLoader dumps the SFX RAR and the bogus file Excel spreadsheet in the temporary folder of the user’s profile on the infected machine and simultaneously executes the GOLoader along with unveiling the dummy file.”
This loader based on Golang is also tailored to fetch the stream of binary data of DCRat from an external location via a fixed URL that leads to a GitHub repository that is no longer in existence GitHub repository and save it under the name “file.exe” in the desktop directory on the victim’s system.
DCRat is a flexible RAT that can pilfer confidential information, capture screen snapshots and keystrokes, and grant remote control access to the breached system and simplify the retrieval and launching of extra files.
“It establishes continual presence on the infected machine by setting up multiple Windows tasks to execute at various intervals or at the time of Windows login,” as asserted by Talos. “To establish contact with the C2 server, the RAT communicates via a URL hardcoded in the RAT configuration file […] and transfers the sensitive data gathered from the infected machine.”
This development arises as Cofense has cautioned about phishing campaigns that embed malevolent content in virtual hard disk (VHD) files as a tactic to evade detection by Secure Email Gateways (SEGs) and ultimately dispense Remcos RAT or XWorm.
“The attackers dispatch emails with attachments in .ZIP format containing files of virtual hard drives or embedded links for downloads that encompass a virtual hard drive file that can be mounted and perused by a target,” shared security researcher Kahng An said. “From here, a target can be deceived into executing malicious payload.”
About Author
