Ukraine has been suffering from a constant barrage of cyberattacks. The CERT-UA has issued several advisories regarding the attacks. Most recently, the agency published another warning about the peril of Ukrainian telecommunications operators.

Diving into details

  • Threat actors are sharing malspam messages with the subject ‘Free Primary Legal Aid’ to disseminate the DarkCrystal RAT or DCRat onto victims’ systems. 
  • The messages contain a password-protected attachment, titled ‘Algorithm of actions of members of the family of a missing serviceman LegalAid.rar’.
  • Once the document is opened and the macro is enabled, a PowerShell command is executed.

About DCRat

A commercial .NET malware, DarkCrystal RAT surfaced in 2018. It is capable of stealing data from compromised hosts; keylogging; capturing screenshots; pilfering cookies, passwords, and others from browsers; and gathering machine information. In early May, the trojan was being sold on Russian underground forums at cheap prices.

Why this matters

  • This strain of DCRat was packed with an unknown packer that conducted a check for computer names during the unpacking process. This ensured detection evasion.
  • The packer contained way too much spaghetti code containing several jump instructions. This technique is similar to steganography, however, the malware code hides in a header instead of an image.

Lots of advisories 

As mentioned above, Ukraine has been facing constant cyberattacks since the geopolitical warfare started. Here are some most recent attacks against the nation that CERT-UA warned against.
  • A malicious campaign against Ukrainian media organizations was found abusing the Follina flaw to spread the CrescentImp malware onto victims’ systems. 
  • A few days back, the agency issued a warning about two Russian threat actors, APT28 and UAC-0098, exploiting Follina to deploy CredoMap malware and Cobalt Strike beacons. 
  • In May, CERT-UA published an advisory warning against a phishing campaign with the subject ‘chemical attack’. Once the files were opened, they propagated the Jester malware.
  • In April, an advisory warned against a social engineering campaign that was found installing the IcedID malware. The campaign was linked to the UAC-0041 threat cluster.  

The bottom line

The threat actor leveraged multiple attack vectors to increase the chances of success. DCRat is a relatively inexpensive but very capable malware. It mainly focuses on data exfiltration and the stolen data can be used for further attacks.
Cyware Publisher