Russian-speaking users are the targets of a new cybercrime campaign distributing DCRat (aka DarkCrystal RAT), a commodity trojan, using an innovative technique called HTML smuggling.
This marks the first time DCRat has been deployed using HTML smuggling, a departure from its traditional delivery methods involving compromised websites, fake sites, phishing emails with PDF attachments, or macro-laden Excel documents.
“HTML smuggling serves as a payload delivery mechanism,” stated Netskope researcher Nikhil Hegde in a recent analysis. “The payload can be embedded within the HTML or retrieved from a remote source.”
The attack involves the distribution of HTML files via fake websites or malicious spam campaigns. Once opened in the victim’s browser, the concealed payload is decoded and downloaded onto the victim’s machine.
The attack relies on social engineering tactics to convince the victim to open the malicious payload.
Netskope discovered HTML pages impersonating TrueConf and VK in Russian, which, when opened, trigger an automatic download of a password-protected ZIP archive to the disk to avoid detection. The ZIP payload contains a nested RarSFX archive that eventually deploys the DCRat malware.
DCRat, initially released in 2018, is a potent backdoor that can execute shell commands, log keystrokes, exfiltrate files and credentials, and more.
Organizations are advised to monitor HTTP and HTTPS traffic to prevent communication with malicious domains.
The campaign targeting Russian companies involves a threat cluster named Stone Wolf, distributing Meduza Stealer through phishing emails posing as a legitimate industrial automation solutions provider.
This development follows recent malicious campaigns likely using generative artificial intelligence (GenAI) to create VBScript and JavaScript code for spreading AsyncRAT via HTML smuggling.
“Adversaries are employing authentic organization names and data to deceive victims into downloading and opening malicious attachments,” stated BI.ZONE.
HP Wolf Security revealed that cybercriminals are leveraging GenAI to accelerate attacks and infect endpoints more efficiently.