In a recent campaign targeting Russian-speaking users, the modular remote access tool (RAT) known as DCRat was utilized to deliver malware through a technique called HTML smuggling. This method has not been previously seen with DCRat and expands its threat landscape by leveraging its typical capabilities to execute shell commands, log keystrokes, exfiltrate files, and steal credentials.
HTML smuggling involves embedding obfuscated malicious payloads within HTML code, retrieved from remote sources, allowing them to bypass security measures and execute in the victim’s browser. This technique has been exploited by various malware families, including Azorult, Pikabot, and now DCRat, to deliver malicious code to unsuspecting users.
The threat actor behind this campaign used fake HTML pages masquerading as popular applications like TrueConf and VK Messenger to trick victims into downloading password-protected ZIP archives. These HTML pages automatically initiated the download in popular browsers and provided the decryption password “2024”, allowing the threat actor to bypass detection by security tools.
The malicious code within the HTML files was identified as originating from the open-source GitHub repository “TheCyb3rAlpha/BobTheSmuggler”, indicating potential for further exploitation. Attackers utilized a multi-layered archive approach to deliver DCRat, with encrypted payloads nested within other archives, each requiring specific passwords for extraction and execution.
The executables of DCRat were found to be packed with tools like ENIGMA and VMProtect, suggesting that the attacker reused older DCRat builds. The threat actors employed a multi-layered obfuscation technique to evade detection mechanisms, wrapping archives within archives and utilizing password protection at each level.
The novel use of HTML smuggling to deliver DCRat malware highlights the evolving techniques of threat actors and emphasizes the importance of monitoring such developments. To mitigate such threats, organizations are advised to thoroughly inspect all HTTP and HTTPS traffic, utilize URL filtering, and implement threat protection policies.
Additionally, Netskope recommends employing Remote Browser Isolation (RBI) technology to provide extra security when accessing potentially risky websites. This proactive approach can help organizations defend against advanced cyber threats and safeguard their network infrastructure from malicious actors.
As cyber threats continue to evolve and adapt, it is crucial for organizations to stay vigilant and implement robust security measures to protect their data and systems from malicious attacks. By understanding and monitoring the latest techniques used by threat actors, organizations can better defend against cyber threats and ensure the security of their digital assets.