DCRat Trojan Evolves: HTML Smuggling Marks New Delivery Method
Russian-speaking users have become the target of a new cyberattack, deploying the DCRat trojan (also known as DarkCrystal RAT) through the technique of HTML Smuggling. This marks the first instance of such a delivery method for this malware. Previously, it was disseminated solely through fake websites or phishing emails containing malicious PDF and Excel files.
Netskope researcher Nikhil Hegde highlights that the malicious code can either be embedded directly into an HTML file or downloaded from an external source. These HTML files are distributed via fake websites or spam emails, and when opened in a browser, the malicious code is downloaded to the victim’s computer.
To execute a successful attack, cybercriminals employ social engineering tactics, persuading victims to open the downloaded file. Netskope identified HTML pages impersonating a number of Russian-language sites, including the video conferencing platform TrueConf and the social network VK. When the fake pages are opened, an encrypted ZIP archive containing a RarSFX file is automatically downloaded to the victim’s computer, ultimately launching the DCRat trojan.
First detected in 2018, DCRat is capable of functioning as a fully-fledged backdoor, with the ability to install additional plugins to enhance its capabilities. The malware can execute arbitrary commands in the command line, monitor keystrokes, and steal files and credentials. Experts recommend that organizations monitor HTTP and HTTPS traffic for signs of communication with suspicious domains.
Alongside this campaign, another group of cybercriminals, known as Stone Wolf, has targeted Russian companies by distributing the Meduza Stealer malware through phishing emails disguised as offers from legitimate industrial solution providers.
BI.ZONE specialists note that attackers often use archives containing both malicious files and seemingly legitimate attachments to divert the victim’s attention. The use of real organization names increases the likelihood of successful infection.
Additionally, specialists are increasingly uncovering campaigns where malicious VBScript and JavaScript code is generated with the help of artificial intelligence to spread AsyncRAT through HTML Smuggling. HP Wolf Security experts believe this activity indicates how AI accelerates both the preparation and the execution of attacks for cybercriminals.
