Usage of Gophish Framework in Deceptive Campaigns for Deploying Remote Entry Trojans
A new phishing strategy aimed at Russian-speaking individuals leverages the utilization of an open-source phishing platform known as Gophish to deploy DarkCrystal RAT (also called DCRat) and an undisclosed remote entry trojan named PowerRAT.
According to Cisco Talos researcher Chetan Raghuprasad as he stated in an analysis on Tuesday, the campaign consists of modular infection chains that include either Maldoc or HTML-based infections requiring the victim’s action to initiate the infection sequence.
The decision to target Russian-speaking users was based on the language in the phishing emails, the content bait in the malicious documents, links posing as Yandex Disk (“disk-yandex[.]ru”), and HTML web pages purporting to be VK, a social platform predominantly used in that region.
Gophish is an open-source phishing framework that enables organizations to assess their phishing defenses by employing user-friendly templates to launch email campaigns that can be conveniently monitored almost in real-time.
The unidentified threat actor responsible for the campaign has been seen utilizing the toolkit to dispatch phishing messages to their targets and subsequently deploy DCRat or PowerRAT contingent on the initial access route chosen: Either a malicious Microsoft Word document or an HTML file embedding JavaScript.
Upon opening the maldoc and activating macros, a malicious Visual Basic (VB) macro is executed to extract an HTML application (HTA) file named “UserCache.ini.hta” and a PowerShell loader named “UserCache.ini”.
The macro takes on the responsibility of setting up a Windows Registry key ensuring the HTA file launches automatically every time a user logs into their device account.
The HTA file, in turn, deposits a JavaScript file named “UserCacheHelper.lnk.js” responsible for triggering the PowerShell Loader. The execution of JavaScript is facilitated using a legitimate Windows tool named “cscript.exe.”
“The PowerShell loader script disguised as the INI file contains a base64 encoded data section of the PowerRAT payload, which is decoded and executed in the memory of the victim’s machine,” revealed Raghuprasad.
Aside from conducting system reconnaissance, the malware obtains the drive serial number and establishes connections with remote servers situated in Russia (94.103.85[.]47 or 5.252.176[.]55) to receive additional directives.
“[PowerRAT] possesses the capability to execute other PowerShell scripts or commands as instructed by the [command-and-control] server, thus providing the means for further infections on the victim’s machine.”
In the absence of a response from the server, PowerRAT contains a feature that decodes and processes an embedded PowerShell script. None of the scrutinized samples to date contained Base64-encoded strings, indicating ongoing development of the malware.
The alternate infection chain utilizing HTML files with embedded malicious JavaScript triggers a multi-stage process culminating in the deployment of DCRat malware.
“Upon clicking the fraudulent link in the phishing email, an HTML file from a remote location containing malicious JavaScript opens in the victim’s browser and simultaneously activates the JavaScript,” as articulated by Talos. “The JavaScript contains a Base64-encoded data section of a 7-Zip archive of a malicious SFX RAR executable.”
Nested within the archive file (“vkmessenger.7z”) – downloaded via a technique known as HTML smuggling – is yet another password-protected SFX RAR housing the RAT payload.
It’s important to highlight that the specific infection flow was elaborated by Netskope Threat Labs in association with a campaign using deceptive HTML pages mimicking TrueConf and VK Messenger to disseminate DCRat. Additionally, the utilization of a nested self-extracting archive has been previously identified in campaigns distributing SparkRAT.
“The SFX RAR executable comes bundled with the malicious loader or dropper executables, a batch file, and a camouflage document in some instances,” per Raghuprasad.
The SFX RAR delivers the GOLoader and the deceptive Excel spreadsheet in the user profile applications temporary folder of the victim’s machine and proceeds to execute the GOLoader while simultaneously opening the decoy document.
Moreover, the loader created using Golang is also programmed to fetch the DCRat binary data stream from a remote location via a hardcoded URL linking to a GitHub repository that has since been taken down, saving it as “file.exe” in the desktop folder on the victim’s machine.
DCRat is a configurable RAT that has the capability to steal sensitive information, capture screen images and key inputs, and enable remote control access to the affected system, facilitating the retrieval and launch of additional files.
The persistence on the victim’s machine is established by setting up numerous Windows tasks that run at various intervals or during the Windows login phase, as stated by Talos. The RAT communicates with the C2 server through a predetermined URL in the RAT configuration file […] and transmits the collected sensitive data from the victim’s machine.
This development coincides with the warning issued by Cofense regarding phishing campaigns that integrate malicious components within virtual hard disk (VHD) files to bypass detection by Secure Email Gateways (SEGs) with the intent to distribute Remcos RAT or XWorm.
According to security researcher Kahng An, “Threat actors dispatch emails with attachments of .ZIP archives containing virtual hard drive files or links to downloads comprising a virtual hard drive file that can be mounted and explored by a victim, deceiving them into executing a malicious payload.”
About Author
