A new phishing campaign is actively targeting Russian-speaking users, utilizing an open-source phishing toolkit called Gophish to deliver malicious software, including the DarkCrystal RAT (DCRat) and a newly identified remote access trojan called PowerRAT. The campaign employs a sophisticated infection chain requiring user interaction to trigger malware installation. In addition to leveraging open-source tools, this attack involves intricate technical methods to evade detection and achieve system compromise, posing a significant threat to individuals and organizations alike.
Overview of the Campaign and Targets
This phishing campaign has specifically targeted Russian-speaking individuals, a focus inferred from the language in phishing emails, document content, and the use of familiar Russian platforms such as Yandex Disk and VK as lures. The emails direct recipients to malicious links disguised to appear trustworthy, prompting them to download or execute files, ultimately initiating the infection process.
The toolkit used in the campaign, Gophish, is an open-source phishing platform initially designed for testing organizational defenses against phishing attempts. The threat actor behind this campaign has exploited Gophish’s legitimate functionalities to distribute phishing messages that direct victims to either Microsoft Word documents or HTML files embedded with malicious scripts, leading to malware deployment based on the access method.
Technical Details of Malware Deployment
When a user opens a malicious document and enables macros, a rogue Visual Basic (VB) macro executes, releasing two primary components: an HTML application (HTA) file and a PowerShell loader. The HTA file launches automatically upon the next user login, initiating JavaScript execution that leads to malware installation via a legitimate Windows component, "cscript.exe." The embedded PowerShell script then deploys PowerRAT in the victim’s system memory, which is designed to gather system data, retrieve hard drive serial numbers, and connect to remote servers for additional instructions.
If the server fails to respond, PowerRAT contains fallback mechanisms, ensuring that the malware can execute additional commands or PowerShell scripts autonomously. This self-sufficiency indicates an ongoing development effort, suggesting that the malware is becoming more adaptable and complex over time.
The HTML-Based Infection Chain
Another infection route used in this campaign involves HTML files embedded with JavaScript, which initiates a series of steps to deploy DCRat malware. When a victim clicks a phishing link, an HTML file with embedded malicious JavaScript is triggered, which loads a compressed archive via HTML smuggling. The archive, a self-extracting (SFX) RAR file, contains password-protected malware files, including a loader and decoy documents. Once uncompressed, the files execute, installing the DCRat payload on the system.
The campaign utilizes a Golang-based loader that downloads DCRat from a hard-coded URL. DCRat is a powerful RAT with capabilities such as data theft, keystroke logging, and remote control access, allowing attackers to maintain a foothold in compromised systems and expand the infection with additional malware.
Evading Detection with New Techniques
To avoid detection by email security gateways, this campaign sometimes includes virtual hard disk (VHD) files within .ZIP archives. VHD files can be mounted and appear as normal files, bypassing many security measures. Once mounted, these VHD files lure the victim into executing malicious payloads. By employing these techniques, attackers are better able to infiltrate systems while minimizing the chances of interception by security systems.
Conclusion
The phishing campaign aimed at Russian-speaking users demonstrates how cybercriminals continuously adapt techniques to bypass security defenses. With tools like Gophish and sophisticated malware like PowerRAT and DCRat, attackers are deploying multi-layered infection chains and leveraging familiar platforms to trick users into engaging with malicious content. As phishing tactics evolve, it becomes increasingly crucial for organizations and users to remain vigilant and adopt advanced security measures to counter these persistent threats.
0 Comments