Threat Research

“DCRat Exploits HTML Smuggling to Target Users”

Netskope

DCRat (Dark Crystal RAT) is a modular malware-as-a-service RAT active since 2018, used to execute commands, log keystrokes, and exfiltrate data. A recent campaign targeted Russian-speaking users using HTML smuggling to bypass defenses while impersonating legitimate apps like TrueConf and VK Messenger, with password-protected archives aiding evasion. Hashtags: #DCRat #DarkCrystalRAT #HTMLSmuggling #TrueConf #VKMessenger #BobTheSmuggler

Keypoints

  • DCRat is a modular RAT with capabilities such as executing shell commands, keystroke logging, and data exfiltration.
  • Historically delivered via compromised websites, email spam, and password-protected archives; recent campaigns used HTML smuggling to deploy DCRat.
  • HTML smuggling embeds or retrieves malicious payloads within obfuscated HTML to evade security controls, often aided by social engineering.
  • Threat actors impersonated TrueConf and VK Messenger in Russian-language HTML pages to lure victims.
  • Password-protected ZIP files (with embedded RarSFX archives) were used to further evade detection, requiring passwords like “2024” and “riverdD.”
  • The smuggling code traced back to open-source projects (e.g., TheCyb3rAlpha/BobTheSmuggler), with final payloads identified as DCRat and built from older samples.
  • Netskope recommends inspecting all web traffic and using Remote Browser Isolation to mitigate HTML-smuggling campaigns.

MITRE Techniques

  • [T1027.002] Obfuscated Files or Information: Software Packing – Used to pack DCRat to evade detection. “Used to pack DCRat to evade detection.”
  • [T1027.006] Obfuscated Files or Information: HTML Smuggling – Employed to deliver DCRat payloads through obfuscated HTML. “Employed to deliver DCRat payloads through obfuscated HTML.”
  • [T1071.001] Application Layer Protocol: Web Protocols – Utilized for command and control communications. “Utilized for command and control communications.”

Indicators of Compromise

  • [File] trueconf.ru.exe and vk.exe – filenames embedded inside a password-protected archive impersonating legitimate apps
  • [Archive] Password-protected ZIP and nested RarSFX archives – used to conceal payloads; first ZIP required a password, then a RarSFX extracted the final payload
  • [Password] 2024 and riverdD – passwords used to decrypt the initial ZIP and embedded RarSFX archive respectively
  • [Domain/URL] Impersonated Russian-language HTML pages mimicking TrueConf and VK Messenger – delivery vector via HTML smuggling

Read more: https://www.netskope.com/blog/dcrat-targets-users-with-html-smuggling