FortiGuard Labs observed a global phishing campaign that delivers personalized phishing pages which prompt victims to download obfuscated JavaScript droppers (UpCrypter) that execute PowerShell and an in-memory MSIL loader to deploy multiple RATs. The campaign delivered PureHVNC, DCRat, and Babylon RAT via staged downloads, steganography, and persistence mechanisms targeting Windows environments. #UpCrypter #PureHVNC #DCRat #BabylonRAT
Keypoints
- Phishing emails with personalized HTML attachments redirect victims to spoofed pages that embed the victimâs email/domain to increase credibility and track targets.
- Downloaded ZIP archives contain heavily obfuscated JavaScript (UpCrypter) that launches a Base64 PowerShell payload with anti-analysis checks and in-memory execution of an MSIL loader.
- The pipeline retrieves loader data from remote servers (plain text or steganographically embedded in images) and executes .NET assemblies in memory to avoid disk artifacts.
- The MSIL loader performs extensive anti-VM and anti-analysis checks, conditionally forces system restarts, and writes persistence to HKCU Run while using a subfolder under AppData for storage.
- Final payloads observed include remote access tools PureHVNC, DCRat, and Babylon RAT, enabling long-term remote control of compromised Windows systems.
- Attackers use fragment-based parameter passing, Base64/XOR obfuscation, and delays/anti-automation tricks to evade detection and logging.
- Campaign shows rapid global expansion across multiple industries; Fortinet protections detect and block the malicious components.
MITRE Techniques
- [T1566 ] Phishing â used to deliver HTML attachments that redirect victims to spoofed pages tailored with the victimâs email/domain (âthe script sets the target userâs email⌠and assigns the result to âwindow.location.hrefâ after 413 millisecondsâ).
- [T1204.002 ] User Execution: Malicious File â victims are urged to download and open a ZIP containing an obfuscated JavaScript dropper (âthe downloadFile() handler ⌠submits the form, causing the delivery of a ZIP archive ⌠âPlease open it for review⌒â).
- [T1059.001 ] Command and Scripting Interpreter: PowerShell â JavaScript constructs a Base64 PowerShell command and executes it with ShellExecute to run hidden PowerShell (-ExecutionPolicy bypass) (âit then calls ShellExecute to run PowerShell with â-ExecutionPolicy bypassâ and the decoded command using a window style of 0â).
- [T1218.011 ] Signed Binary Proxy Execution: Rundll32/Regsvr32/PowerShell â use of PowerShell to execute embedded loader code and scripts in-memory (âPowerShell is responsible for network verification, anti-analysis checking, and preparing for loader execution ⌠executed directly in memory through .NET reflectionâ).
- [T1105 ] Ingress Tool Transfer â downloads additional files (01.txt, 02.txt, bu.txt) and loader/payload data from remote URLs to stage and execute the final payloads (âretrieves files â01.txt,â â02.txtâ ⌠and a payload from âktc2005[.]com/bu[.]txt’â).
- [T1005 ] Data from Local System â reads system/registry/BIOS fields for anti-analysis checks (âreads the registry âHKEY_LOCAL_MACHINEHARDWAREDESCRIPTIONSystemBIOSâ to obtain BaseBoardManufacturer and BaseBoardProductâ).
- [T1490 ] Inhibit System Recovery â forces system restarts when anti-analysis checks or connectivity checks fail to disrupt analysis (âIf this fails, it then restarts the computer⌠If any are found, it forces a system restartâ).
- [T1106 ] Native API â uses WinExec and Shell.Application objects for execution and persistence (âcreates a Shell.Application object⌠It then leverages WinExec to launch the attackâ).
- [T1543.003 ] Create or Modify System Process: Windows Service â persistence via registry Run key (âadds the complete PowerShell execution into the registry âHKCU:SOFTWAREMicrosoftWindowsCurrentVersionRun’â).
- [T1027 ] Obfuscated Files or Information â heavy obfuscation of JavaScript, Base64/XOR fragmenting, and padding with junk code (âheavily obfuscated JavaScript file padded with large amounts of junk code⌠reconstructs a link by XORing a set of small string chunks with 0x15 and then applying âatob’â).
- [T1074.001 ] File Deletion â deletes staged artifacts and cleans working folders on detection (âwrites the marker file âdetect_analisse_process.txtâ, deletes staged artifacts, cleans working folders, forces a restart, and exitsâ).
- [T1001.001 ] Indicator Removal on Host: Clear Windows Event Logs or other traces â cleaning working folders and deleting artifacts to minimize traces (âdeletes staged artifacts, cleans working folders ⌠minimizing tracesâ).
Indicators of Compromise
- [Domain ] phishing and payload hosting â maltashopping24[.]com, www[.]tridevresins[.]com
- [Domain ] loader/payload distribution â andrefelipedonascime1753562407700.0461178[.]meusitehostgator[.]com.br, ktc2005[.]com
- [URL ] phishing/redirect endpoints â brokaflex[.]com/tw/w.php (used to POST victim email and deliver ZIP), power-builders[.]net/vn/v.php
- [HTML hash ] malicious attachment â 4b03950d0ace9559841a80367f66c1cd84ce452d774d65c8ab628495d403ad0fc7b6205c411a5c0fde873085f924f6270d49d103f57e7e7ceb3deb255f3e6598
- [JavaScript hash ] UpCrypter JS dropper â a5fe77344a239af14c87336c65e75e59b69a59f3420bd049da8e8fd0447af235c0bfa10d2739acd6ee11b8a2e2cc19263e18db0bbcab929a133eaaf1a31dc9a5
- [DLL hash ] MSIL loader artifact â f2633ef3030c28238727892d1f2fcb669d23a803e035a5c37fd8b07dce442f177e832ab8f15d826324a429ba01e49b452ffc163ca4af8712a6b173f40c919b43