[MART] - Daily Diary #511 - PowerShell RAT Targets Ukrainian Supporters In Germany

CTAS-MAT ctas-mat at appgate.com
Mon May 16 20:40:35 UTC 2022 

Hello,

I hope everyone is doing well!

Below is the entry for today.

05/16/2022 - Diary entry #511:

Recently, a new custom malware was found being distributed on a fake German website. Named PowerShell RAT, the custom obfuscated PowerShell payload is triggered when the victims download and execute a fake document with supposed "information about the situation in Ukraine".

The document, named "2022-Q2-Bedrohungslage-Ukraine.zip", contains a CHM file (Microsoft's HTML help file format) consisting of several HTML files embedded with the initial payload. Next, it downloads another malicious script from the same fake website. Then, it drops a "Status.txt" file containing the PowerShell RAT and a "MonitorHealth.cmd" that executes the first one and is registered as a scheduled task (for persistence).

The PowerShell RAT then collects some information about the victim's computer like the current username, hostname, working directory, and a unique ID. Before sending the exfiltrated information, it bypasses the Windows Antimalware Scan Interface (AMSI) using an AES-encrypted function. The PowerShell RAT can also download/upload files, load additional PS1 (PowerShell script) files, and execute arbitrary commands. Finally, all the communication is established with another German server as its Command & Control.

This campaign was carefully crafted to target German citizens with a simple yet custom and stealthy payload. Usually, attacks related to the Ukrainian-Russian conflict raise suspicion toward Russian-linked threat actors. However, in this incident, there is no evidence that links the actors to Russia-sponsored groups.

Kind Regards,

[https://d3aafpijpsak2t.cloudfront.net/images/Signature/logo@2x.png]<https://www.appgate.com/>

[https://d3aafpijpsak2t.cloudfront.net/images/Signature/likedin@2x.png]<https://www.linkedin.com/company/appgate-security/>     [https://d3aafpijpsak2t.cloudfront.net/images/Signature/twitter@2x.png] <https://twitter.com/AppgateSecurity>   [https://d3aafpijpsak2t.cloudfront.net/images/Signature/youtube@2x.png] <https://www.youtube.com/channel/UC-8GvxcZbm-R3EJNl8jYjiQ>



Felipe Tarijon de Almeida
Malware Analyst
Appgate

E: felipe.tarijon at appgate.com<mailto:felipe.tarijon at appgate.com>


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.immunityinc.com/pipermail/mart/attachments/20220516/f8a3c40e/attachment.htm>

More information about the MART mailing list