DarkCrystal RAT Targets Ukrainian Telcos

Diving into details

• Threat actors are sharing malspam messages with the subject ‘Free Primary Legal Aid’ to disseminate the DarkCrystal RAT or DCRat onto victims’ systems. 
• The messages contain a password-protected attachment, titled ‘Algorithm of actions of members of the family of a missing serviceman LegalAid.rar’.
• Once the document is opened and the macro is enabled, a PowerShell command is executed.

About DCRat

Why this matters

• This strain of DCRat was packed with an unknown packer that conducted a check for computer names during the unpacking process. This ensured detection evasion.
• The packer contained way too much spaghetti code containing several jump instructions. This technique is similar to steganography, however, the malware code hides in a header instead of an image.

Lots of advisories 

• A malicious campaign against Ukrainian media organizations was found abusing the Follina flaw to spread the CrescentImp malware onto victims’ systems. 
• A few days back, the agency issued a warning about two Russian threat actors, APT28 and UAC-0098, exploiting Follina to deploy CredoMap malware and Cobalt Strike beacons. 
• In May, CERT-UA published an advisory warning against a phishing campaign with the subject ‘chemical attack’. Once the files were opened, they propagated the Jester malware.
• In April, an advisory warned against a social engineering campaign that was found installing the IcedID malware. The campaign was linked to the UAC-0041 threat cluster.  

The bottom line