community.riskiq.com
Open in
urlscan Pro
192.65.247.123
Public Scan
Submitted URL: http://community.riskiq.com/article/055c91ec/description
Effective URL: https://community.riskiq.com/article/055c91ec/description
Submission: On October 30 via api from DE — Scanned from CA
Effective URL: https://community.riskiq.com/article/055c91ec/description
Submission: On October 30 via api from DE — Scanned from CA
Form analysis 0 forms found in the DOM
Text Content
Login
RiskIQ Community Home
RiskIQ Threat Intel Portal
PassiveTotal Classic Search
My Attack Surface
Third-Party Portfolio
Cyber Threat Intelligence
Projects
Tour
Threat Intel Portal / Threat actor abuses Gophish to deliver new PowerRAT and
DCRAT
Save Article
Download Indicators
Share Article
- Created 6 days ago
Threat actor abuses Gophish to deliver new PowerRAT and DCRAT
OSINT
T1547 - Boot or Logon Autostart Execution
T1059.007 - JavaScript
T1059.001 - PowerShell
T1059.005 - Visual Basic
T1543.003 - Windows Service
T1105 - Ingress Tool Transfer
T1056.001 - Keylogging
T1027.006 - HTML Smuggling
T1027.002 - Software Packing
T1566 - Phishing
T1566.001 - Spearphishing Attachment
T1113 - Screen Capture
T1204.001 - Malicious Link
DescriptionPublic Indicators
51
SNAPSHOT
Cisco Talos uncovered a phishing campaign targeting Russian-speaking users with
a toolkit called Gophish, deploying PowerRAT and DCRAT malware through malicious
Word documents or HTML files.
DESCRIPTION
The Word document infection vector requires user interaction to enable a macro,
which then decodes and executes a malicious HTML application and PowerShell
loader. This loader establishes persistence in the Windows registry and executes
the PowerRAT payload, capable of reconnaissance and receiving instructions from
a C2 server.
PowerRAT maintains persistence by periodically connecting to the C2 server to
receive and execute base64 encoded PowerShell commands. The HTML infection
vector involves victims clicking a malicious link that executes JavaScript to
download and run the DCRAT payload.
DCRAT, a modular RAT, enables remote control, file management, information
theft, and keylogging. It disguises itself as legitimate Windows executables and
gains persistence through scheduled tasks. The malware modifies Microsoft
Defender Antivirus settings to evade detection and communicates with a C2 server
to exfiltrate data. The campaign's infrastructure includes attacker-controlled
domains and an AWS EC2 instance, with techniques showing similarities to
previous SparkRAT attacks, indicating a broader range of tools used by the
threat actors.
RECOMMENDATIONS
Apply these mitigations to reduce the impact of this threat. Check the
recommendations card for the deployment status of monitored mitigations:
* Prevent JavaScripts from launching automatically by changing file
associations for .js and .jse files.
* Create new Open With Parameters in the Group Policy Management Console under
User Configuration > Preferences > Control Panel Settings > Folder Options.
* Create parameters for .jse and .js file extensions, associating them with
notepad.exe or another text editor.
* Check your perimeter firewall and proxy to restrict servers from making
arbitrary connections to the internet to browse or download files. Such
restrictions help inhibit malware downloads and command-and-control (C2)
activity, including mobile devices.
* Encourage users to use Microsoft Edge and other web browsers that support
SmartScreen, which identifies and blocks malicious websites, including
phishing sites, scam sites, and sites that contain exploits and host malware.
Turn on network protection to block connections to malicious domains and IP
addresses.
* Only install apps from trusted sources, such as the software platform’s
official app store. Third-party sources might have lax standards for hosted
applications, making it easier for malicious actors to upload and distribute
malware.
* Turn on cloud-delivered protection and automatic sample submission
on Microsoft Defender Antivirus. These capabilities use artificial
intelligence and machine learning to quickly identify and stop new and
unknown threats.
* Run the latest version of your operating systems and applications. Deploy the
latest security updates as soon as they become available.
* Educate end users about preventing malware infections. Encourage end users to
practice good credential hygiene – limit the use of accounts with local or
domain admin privileges and turn on Microsoft Defender Firewall to prevent
malware infection and stifle propagation.
* Turn on attack surface reduction rules, including rules that can block
advanced macro activity, executable content, process creation, and process
injection initiated by Office applications.
* Check your Office 365 email filtering settings to ensure you block spoofed
emails, spam, and emails with malware. Use Microsoft Defender for Office
365 for enhanced phishing protection and coverage against new threats and
polymorphic variants. Configure Office 365 to recheck links on
click and delete sent mail in response to newly acquired threat intelligence.
* Prevent the use of unauthorized apps with application control even in
Enterprise mobile devices.
* For efficient incident response, maintain a forensics-ready network with
centralized event logging, file detonation services, and up-to-date asset
inventories.
* Turn on the following attack surface reduction rule to block or audit
activity associated with this threat:
* Block executable files from running unless they meet a prevalence, age, or
trusted list criterion.
* Block executable content from email client and webmail.
* Block execution of potentially obfuscated scripts.
* Block JavaScript or VBScript from launching downloaded executable content.
ASSESS RULE IMPACT BEFORE DEPLOYMENT
You can assess how an attack surface reduction rule might impact your network by
opening the security recommendation for that rule in threat and vulnerability
management. In the recommendation details pane, check the user impact to
determine what percentage of your devices can accept a new policy enabling the
rule in blocking mode without adverse impact to user productivity. See the
screenshot below:
Image of security recommendations in Microsoft Defender
DETECTIONS/HUNTING QUERIES
MICROSOFT DEFENDER ANTIVIRUS
Microsoft Defender Antivirus detects the following malware threat components:
* Trojan:MSIL/DCRat.RDJ!MTB
* Trojan:MSIL/DCRat.JB
* Backdoor:Win32/DCRAT.JP!MTB
* Trojan:Win32/Znyonm
* Trojan:Win32/Leonem
* Trojan:Win32/Wacatac.B!ml
* Trojan:BAT/Starter.AMC!MTB
REFERENCES
Threat actor abuses Gophish to deliver new PowerRAT and DCRAT Palo Alto Unit 42
(Accessed 2024-10-24)
COPYRIGHT
© Microsoft 2024. All rights reserved. Reproduction or distribution of the
content of this site, or any part thereof, without written permission of
Microsoft is prohibited.
About RiskIQ
RiskIQ surfaces the most internet data in the industry to help you quickly and
effectively manage your organization’s digital attack surface. Learn more at
riskiq.com.
Missing Something?
Our articles contain additional indicators just for our Enterprise Customers.
Upgrade
© 2024, RiskIQ Inc. All Rights Reserved. Proprietary and confidential; do not
distribute without prior approval.Privacy StatementTerms of UseLicensesv8.465.0