Security researchers have come across a new phishing campaign that’s targeting Russian citizens through emails. The actors are making use of an open-source phishing template creation tool called GoPhish.
The malicious actors are using GoPhish to deliver DarkCrystal RAT (aka DCRat) and a remote access trojan dubbed PowerRAT. It makes use of modular infection chains that are either Maldoc or HTML-based and require the victim’s intervention to trigger the exploit. The unknown threat actor behind the campaign has been observed to use the GoPhish toolkit to craft phishing messages to their targets and ultimately push DCRat or PowerRAT, depending on whether a malicious Microsoft Word document or an HTML embedding JavaScript was used to initiate the infection.
On receiving the crafted email, once the victim opens the malicious document and enables macros, a Visual Basic (VB) macro is executed to extract an HTML application (HTA) file (“UserCache.ini.hta”) and a PowerShell loader (“UserCache.ini”).
The macro configures a Windows Registry key such that the HTA file is automatically launched every time a user logs into their account on the device.
The HTA file, for its part, drops a JavaScript file (“UserCacheHelper.lnk.js”) that’s responsible for executing the PowerShell Loader. The JavaScript is executed using a legitimate Windows binary named “cscript.exe.”. The PowerShell loader script appearing as the INI file contains a base64 encoded data blob of the payload PowerRAT, which decodes and executes in the victim’s machine memory.
The malware performs system reconnaissance, collects the drive serial number and then connects back to remote CNC servers located in Russia (94.103.85[.]47 or 5.252.176[.]55) to exfiltrate data or receive further instructions.
Once a victim clicks on the malicious link provided in the email, a call is made to the remotely located HTML file, which contains the malicious JavaScript and opens in the victim machine’s browser, where it gets executed. The JavaScript payload leverages Base64 encoding to obfuscate a malicious SFX RAR executable. The 7-Zip archive, downloaded through HTML smuggling, contains a password-protected self-extracting RAR file that delivers the final malicious RAT payload.
The SFX RAR unpacks the malicious GOLoader and a benign-looking Excel document to the user’s temporary folder, executing the malware while distracting the victim. DCRat is a modular RAT that is designed to steal sensitive data, capture screenshots and keystrokes, provide remote access to the compromised system and facilitate the download and execution of additional files.
Several Windows tasks are created to run at different intervals or during the Windows login process to maintain persistence on the victim machine. The RAT utilizes a hardcoded URL in the RAT configuration file to communicate with its command-and-control server and steal sensitive information from the compromised system.
