A new phishing campaign is actively targeting Russian-speaking users, leveraging the Gophish framework to deliver two remote access trojans (RATs): DarkCrystal RAT (DCRat) and PowerRAT. The campaign is designed with modular infection chains that begin with malicious emails containing attachments or links that disguise themselves as well-known services like Yandex Disk or VK, a popular Russian social media platform. These phishing emails entice victims to open malware-laden Microsoft Word documents or HTML files embedded with JavaScript, initiating the infection process.
Once a victim interacts with these malicious attachments, the infection chain begins. In the case of Microsoft Word documents, enabling macros triggers a Visual Basic (VB) script that extracts and executes a rogue HTML application (HTA) file and a PowerShell loader. This process leads to the deployment of PowerRAT, a previously undocumented RAT that performs system reconnaissance, collects device details such as the drive serial number, and communicates with command-and-control (C2) servers located in Russia. PowerRAT is also capable of executing additional PowerShell commands, enabling further infections on the compromised machine.
Alternatively, victims who interact with HTML files embedded with JavaScript are targeted by DCRat. When a user clicks on a malicious link, a JavaScript file containing a Base64-encoded 7-Zip archive is downloaded through a technique called HTML smuggling. The archive contains a password-protected self-extracting (SFX) RAR file, which ultimately delivers the DCRat payload. DCRat is a modular RAT capable of stealing sensitive data, capturing keystrokes and screenshots, and allowing remote control of the infected system. It establishes persistence by creating Windows tasks that run during system login or at intervals.
This campaign is particularly dangerous due to its ability to deliver two different RATs depending on the initial access vector and its use of sophisticated techniques like HTML smuggling and modular infection chains. The Gophish framework, originally designed to test phishing defenses, is being weaponized by threat actors to launch highly targeted phishing campaigns. With the capability to collect sensitive data and maintain long-term access to compromised systems, both PowerRAT and DCRat pose significant risks to affected users.
