A phishing campaign targeting Colombian organizations uses a Remote Access Trojan (DCRAT) distributed via obfuscated email attachments to gain control and steal sensitive data from infected Microsoft Windows systems. The attack chain employs multiple evasion techniques including steganography, base64 encoding, and multi-stage payload delivery to avoid detection. #DCRAT #ColombianGovernment #FortiMail
Keypoints
- DCRAT is a modular RAT capable of data theft, surveillance, system manipulation, and process management tailored by attackers via plugins.
- The threat actor impersonates a Colombian government entity and uses password-protected archives and obfuscated files to deliver the malware.
- The infection chain includes downloading an obfuscated VBScript, executing base64 encoded PowerShell code, and extracting a .NET payload hidden in an image via steganography.
- DCRAT steals credentials, documents, browser data, captures screenshots, performs keylogging, and can manipulate system settings and files.
- The malware includes anti-analysis features checking for virtual environments and terminates processes associated with analysis or antivirus tools if enabled.
- Persistence is established via scheduled tasks or registry entries depending on user permissions, and AMSI bypass techniques are used to evade detection.
- Fortinet products detect and block the attack using multiple security services, protecting customers from infection.
MITRE Techniques
- [T1059.005] Command and Scripting Interpreter: Visual Basic â The attack uses an obfuscated VBS file downloaded from a pastebin-like service to execute subsequent payload stages (âThe ZIP attachment contains a bat file which will drop an obfuscated vbs file from a pastebin like website to C:WindowsTempâ).
- [T1027] Obfuscated Files or Information â The VBScript and PowerShell code are heavily obfuscated and base64 encoded to evade detection (âThe vbs file is heavily obfuscated and is made to trick analysts and systemsâ).
- [T1140] Deobfuscate/Decode Files or Information â The malware decodes base64-encoded scripts and extracts hidden data from an image using steganography (âThis script sets a reversed URL as a variable and points it to an image which contains data hidden with base64â).
- [T1105] Ingress Tool Transfer â The final payload is downloaded from a remote URL embedded within steganographic image data (ââŚinvoke a .NET library to download the third and final payload from the reversed URL to C:UsersPublicDownloadsâ).
- [T1071.001] Application Layer Protocol: Web Protocols â The malware communicates with a hardcoded C2 server or can retrieve the C2 address from a remote URL (âthe RAT enters an infinite loop, continuously attempting to connect to its command-and-control (C2) serverâ).
- [T1218.005] Signed Binary Proxy Execution: Mshta â The malware uses cmd and schtasks commands to create persistence and execute decoded payloads (ââŚspawns a hidden cmd process to execute a base64-decoded command string⌠schtasks /create âŚâ).
- [T1543.003] Create or Modify System Process: Windows Service â Persistence is created through scheduled tasks or registry run keys depending on user privileges (ââŚregister the malware binary as a scheduled task for persistence⌠creates a registry entry under HKCU if admin privileges are not presentâ).
- [T1574.001] Hijack Execution Flow: DLL Search Order Hijacking â AMSI bypass attempts are made by patching amsi.dll in memory to disable scanning (âThe function proceeds to load amsi.dll into memory and retrieves the address of the AmsiScanBuffer function⌠inject a patch into this memory locationâ).
- [T1547.001] Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder â Registry modifications ensure execution on user logon (ââŚcreates a registry entry under HKCUSOFTWAREMicrosoftWindowsCurrentVersionRunâŚâ).
- [T1083] File and Directory Discovery â The malware compares paths and enumerates running processes to terminate those running from specific folders (ââŚiterates through all running processes and terminates any that are executing from the Install_Folder locationâ).
Indicators of Compromise
- [URL] Malicious script and payload hosting â hxxp://paste.ee/d/jYHEqBJ3/0, hxxps://paste.ee/d/oAqRiS3g
- [URL] Image containing steganographic payload â hxxps://ia601205.us.archive.org/26/items/new_image_20250430/new_image.jpg
- [SHA-256] ZIP attachment â db21cc64fb7a7ed9075c96600b7e7e7007a0df7cb837189c6551010a6f828590
- [SHA-256] BAT file â 34b8040d3dad4bd9f34738fbc3363fcda819ac479db8497fb857865cee77ad89
- [SHA-256] VBS file â b0f3c7ea17875b5e1545678b3878ce268ff4bde718b66254ce01b0bb864801b8
- [SHA-256] Executable (DCRAT) â 77a22e30e4cc900379fd4b04c707d2dfd174858c8e1ee3f1cbecd4ece1fab3fe
- [IP Address and Port] C2 server â 176.65.144.19:8848