A new email attack distributing DCRAT, a Remote Access Trojan, has been uncovered. The threat actor impersonates a Colombian government entity to target organizations in Colombia. The attack employs multiple evasion techniques, including password-protected archives, obfuscation, steganography, base64 encoding, and multiple file drops. DCRAT features a modular architecture, comprehensive surveillance capabilities, information theft functions, system manipulation tools, file and process management, and browser credential harvesting. The attack chain involves a phishing email with a ZIP attachment containing a bat file, which drops an obfuscated vbs file. This file eventually runs a base64-encoded script that downloads and executes the final payload. The RAT employs various persistence mechanisms and anti-analysis techniques. It attempts to bypass Windows Antimalware Scan Interface (AMSI) and continuously tries to connect to its command-and-control server. Author: AlienVault
Related Tags:
Credential Harvesting
T1497.001
DCRat
T1059.005
T1059.007
T1053.005
T1056.001
Obfuscation
remote access trojan
Associated Indicators:
77A22E30E4CC900379FD4B04C707D2DFD174858C8E1EE3F1CBECD4ECE1FAB3FE
34B8040D3DAD4BD9F34738FBC3363FCDA819AC479DB8497FB857865CEE77AD89
http://paste.ee/d/jYHEqBJ3/0
https://paste.ee/d/oAqRiS3g
https://ia601205.us.archive.org/26/items/new_image_20250430/new_image.jpg
176.65.144.19