Threat Research

“Threat Actor Leverages Gophish to Deploy PowerRAT and DCRAT”

Talos

Cisco Talos uncovered a phishing campaign that uses the open-source Gophish toolkit to deliver malicious Word and HTML lures which ultimately load in-memory PowerShell-based PowerRAT or the DCRAT remote access trojan. The actor uses hidden base64 blobs, HTA/JavaScript loaders, Windows autorun and scheduled tasks for persistence and reaches out to multiple C2 servers (notably in Russia). #PowerRAT #DCRAT

Keypoints

  • Campaign leverages the open-source Gophish framework hosted on an AWS EC2 instance (port 3333) to send targeted phishing emails to Russian-speaking users.
  • Two modular initial vectors are used: (1) malicious Word documents with hidden base64 blobs and macros that drop an HTA and PowerShell loader, and (2) HTML pages with embedded JavaScript that trigger a 7-Zip SFX download.
  • One payload is a newly identified PowerShell RAT (PowerRAT) that executes in-memory, performs host reconnaissance, and fetches module/configurations from HTTP C2 servers.
  • DCRAT (Dark Crystal RAT) is delivered via SFX archives (some masquerading as VK messenger), often unpacked by the victim and executed through batch/SFX scripts; a GOLoader written in Go was observed dropping DCRAT and configuring Defender exclusions.
  • Persistence mechanisms include abusing the lesser-known HKEY_CURRENT_USERSoftwareMicrosoftWindows NTCurrentVersionLOAD autorun key, creating scheduled tasks, and dropping files in user/profile folders.
  • Actor uses common evasion techniques: hidden text in documents, base64-encoded blobs, in-memory execution, LOLBins (cscript.exe) and Defender exclusion modification to avoid detection.
  • Multiple C2 servers and hosting domains were identified (including an EC2 host resolving to disk-yanbex[.]ru and Russian IPs for C2), and the actor appears to be actively developing placeholders for additional functionality.

MITRE Techniques

  • [T1566] Phishing – Used phishing emails to deliver malicious documents and links; quote: ‘Utilized phishing emails to deliver malicious documents and links.’
  • [T1086] PowerShell – PowerShell scripts and in-memory PowerShell loaders execute the PowerRAT payload and other commands; quote: ‘Used PowerShell scripts for execution and payload delivery.’
  • [T1219] Remote Access Tools – Deployment of PowerRAT and DCRAT to gain remote control and data theft capabilities; quote: ‘Deployment of PowerRAT and DCRAT for remote access.’
  • [T1547] Registry Run Keys / Startup Folder – Abused the HKEY_CURRENT_USERSoftwareMicrosoftWindows NTCurrentVersionLOAD key for autorun persistence; quote: ‘Modified registry keys to maintain persistence on the victim’s machine.’
  • [T1059] Command and Scripting Interpreter – Executed JavaScript (in browser/HTA) and PowerShell (Invoke-Expression) to decode and run payloads; quote: ‘Executed commands via PowerShell and JavaScript.’
  • [T1071] Application Layer Protocol – C2 communications and data exfiltration occur over HTTP to hardcoded C2 URLs/IPs; quote: ‘Communicated with C2 servers using HTTP.’

Indicators of Compromise

  • [IP Address] attacker-hosting and C2 – 34[.]236[.]234[.]165 (AWS EC2 hosting Gophish), 94[.]103[.]85[.]47 (C2, Russia)
  • [Domains] hosting and C2 – disk-yanbex[.]ru (malicious hosting), e-connection[.]ru (reverse-resolved), and cr87986[.]tw1[.]ru (DCRAT C2)
  • [Files / filenames] dropped loaders and persistence – UserCache.ini.hta, UserCacheHelper.lnk.js, UserCache.ini (PowerShell loader), file.exe (GOLoader drop), and SFXRAR archives masquerading as VK messenger
  • [Registry key] persistence – HKEY_CURRENT_USERSoftwareMicrosoftWindows NTCurrentVersionLOAD – example value: C:UsersUserCache.ini.hta
  • [URLs / hosting] repositories and endpoints – EC2 FQDN ec2-34-236-234-165[.]compute-1[.]amazonaws[.]com and references to a GitHub repo used as a payload host (not accessible during analysis)

Cisco Talos analyzed a coordinated phishing operation that used an open-source phishing framework to send tailored lures to Russian-speaking recipients and deploy modular remote access malware. The actor hosted a Gophish instance on an AWS EC2 server and used it to deliver two primary types of initial vectors: malicious Microsoft Word documents containing VB macros and embedded base64 payloads, and remote HTML pages that execute JavaScript in the victim’s browser. The Word macro decodes concealed text (the lure) by translating encoded symbols into Cyrillic, searches for labeled markers like “DigitalRSASignature:” and “CHECKSUM” to extract a hidden base64 blob, and splits that decoded blob into an HTA file and a PowerShell loader which are written into the user profile. To hide the encoded data from casual inspection, the actor placed the blob in the document with text colored to match the background. After dropping UserCache.ini.hta and a masquerading UserCache.ini PowerShell loader, the macro sets the current-user autorun key (HKEY_CURRENT_USERSoftwareMicrosoftWindows NTCurrentVersionLOAD) to run the HTA at login and strips header contents from the document to remove traces.

The HTA (UserCache.ini.hta) drops a JavaScript file (UserCacheHelper.lnk.js) which in turn executes the PowerShell loader by invoking an encoded PowerShell command; the loader contains a base64-encoded PowerRAT payload that is decoded and executed directly in memory. PowerRAT performs host reconnaissance (collecting username, computer name, drive letter and serial via Get-CimInstance/WMI), hides supporting files by setting Hidden attributes, and attempts to reach hardcoded C2 endpoints over HTTP to register the infected host. If C2 is unreachable, PowerRAT contains an offlineworker() placeholder capable of decoding and executing an embedded base64 PowerShell script, indicating ongoing development to support offline fallback behavior. The RAT periodically sleeps (300 seconds plus a random 7–23 seconds) between attempts, and when a C2 responds it will likely deliver an XML configuration with modules and base64-encoded PowerShell tasks that PowerRAT can parse and run at configured intervals.

Parallel to the document-based chain, malicious HTML pages observed in the campaign host JavaScript that contains a base64-encoded SFX archive (7-Zip) represented as an application/octet-stream in memory. The script uses URL.createObjectURL() and programmatic click() to prompt a download of a 7-Zip archive masquerading as a VK messenger installer or other Russian-named archive. If a victim extracts and runs the self-extracting archive, an SFX script drops and executes a batch file which in some cases runs a password-protected SFXRAR with a hardcoded password (“riverdD”) to unpack and launch the DCRAT payload. In other samples the SFX unpacks a Go-based loader (GOLoader) and a decoy Excel document; GOLoader configures Microsoft Defender exclusions (Add-MpPreference -ExclusionPath ‘C:’ and ‘C:Users$userDesktop’), downloads a DCRAT binary from a hardcoded URL (observed pointing at a GitHub repository), writes it to the desktop as file.exe, and executes it.

The DCRAT instance identified in this campaign is a modular RAT (also known as Dark Crystal RAT in open sources) with plugin capability for DLL injection and information-stealing. It supports remote command execution, file management, screen capture, keystroke logging, and theft modules for credentials and financial data. The RAT places multiple copies of its actor-controlled binaries using legitimate-sounding names (csrss.exe, dllhost.exe, taskhostw.exe, winlogon.exe) across locations such as ProgramData, Pictures, Saved Games and the Start Menu, drops plugin modules in administrator desktop folders with “.log” extensions, and establishes persistence through numerous scheduled tasks (examples in samples include tasks named winlogonw, csrssc, dllhostd, taskhostwt and filef configured with ONLOGON or periodic triggers). DCRAT configuration files hardcode C2 URLs; Talos observed C2 addresses and additional endpoints such as hxxp://cr87986[.]tw1[.]ru/L1nc0In[.]php and identified C2 IPs including 94[.]103[.]85[.]47 and 5[.]252[.]176[.]55, both geolocated in Russia.

Throughout the campaign the threat actor used several evasion and persistence techniques: hiding payload blobs in document text color, in-memory execution of PowerShell payloads to avoid disk-based detection, LOLBins like cscript.exe to run dropped JavaScript, altering Defender exclusion paths via PowerShell, creating many scheduled tasks and using the uncommon LOAD registry key for autorun. Talos also noted overlap with previous activity — a SparkRAT-related technique reported by other researchers — implying SparkRAT may be in the actor’s toolkit as well. Analysis showed placeholders and unused functions in PowerRAT (for example offlineworker and embedded base64 slots), suggesting active tool development and modularity that allow the actor to update behavior and deliver additional payloads.

Talos documented a range of indicators (malicious domains, IPs, filenames, registry keys, task names and C2 URLs) and recommended layered defenses: email and web scanning, endpoint protection that can block in-memory PowerShell execution and malicious HTA/JS, network controls to block known C2 IPs/domains, and application control to limit execution of unpacked SFX/RAR executables. Cisco Secure Endpoint (formerly AMP for Endpoints), Secure Email, Secure Web Appliance/Umbrella, Secure Firewall, and Cisco Secure Malware Analytics (Threat Grid) are cited as solutions that can detect or prevent the techniques and binaries used in this campaign, and Talos published Snort SIDs and ClamAV signatures covering the observed samples. The research and full IoCs are available in Talos’ GitHub repository for further investigation.

Read more: https://blog.talosintelligence.com/gophish-powerrat-dcrat/