[MART] - Daily Diary #539 - Ukrainian Targets Attacked by a Commercial RAT

[CTAS-MAT]

Hello,

I hope everyone is doing well!

Below is the entry for today.

06/27/2022 - Diary entry #539:

Dark Crystal Rat or DCRat is a commercial Remote Access Trojan that is available since 2018. Advertised in underground forums and written in .NET, DCRat’s focus is to steal credentials and cookies, monitor clipboard data, take screenshots, activate keylogging, and more.

Recently, several Ukrainian media outlets were targeted by a spam campaign with multiple infection vectors such as Follina (CVE-2022-30190) and an Excel macro-enabled document that was used to deploy a DCRat variant.

The attack involving DCRat was executed in a few stages, using the process Dllhelper.exe with a polymorphic technique to increase the process' size randomly to avoid hash-based detection. Next, it loads the DCRat in the memory of a legitimate process.

The use of commercial RATs by skilled threat actors can be leveraged to infect as many devices as possible and prepare for a more sophisticated attack.

Kind Regards,

[https://d3aafpijpsak2t.cloudfront.net/images/Signature/logo@2x.png]<https://www.appgate.com/>

[https://d3aafpijpsak2t.cloudfront.net/images/Signature/likedin@2x.png]<https://www.linkedin.com/company/appgate-security/>     [https://d3aafpijpsak2t.cloudfront.net/images/Signature/twitter@2x.png] <https://twitter.com/AppgateSecurity>   [https://d3aafpijpsak2t.cloudfront.net/images/Signature/youtube@2x.png] <https://www.youtube.com/channel/UC-8GvxcZbm-R3EJNl8jYjiQ>



Felipe Tarijon de Almeida
Malware Analyst
Appgate

E: felipe.tarijon at appgate.com<mailto:felipe.tarijon at appgate.com>


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.immunityinc.com/pipermail/mart/attachments/20220627/3c3f501f/attachment.htm>