| Category | Details |
|---|---|
| Threat Actors | Unknown Threat actor using Open-Source Gophish Toolkit |
| Campaign Overview | Phishing campaign using modular infection chains (Maldoc or HTML-based). Targets Russian-speaking users with PowerRAT and DCRAT payloads. |
| Target Regions (Victims) | Russian-speaking users in Russia, Ukraine, Belarus, Kazakhstan, Uzbekistan, and Azerbaijan. |
| Methodology | Phishing emails with embedded malicious Word documents or HTML files containing JavaScript. Requires user intervention to activate infections. |
| Product Targeted | Microsoft Word (for Maldoc-based infection). |
| Malware Reference | PowerRAT (new PowerShell RAT), DCRAT (Remote Access Tool). |
| Tools Used | Gophish (phishing toolkit), PowerShell (for scripting), cscript.exe (used to run JavaScript). |
| Vulnerabilities Exploited | Abuse of Windows NT registry (LOAD key) to auto-run malicious scripts upon user login. |
| TTPs | Phishing, social engineering (luring through fake VK page), malicious macros, use of PowerShell for in-memory execution, base64 encoding for hiding payloads. |
| Attribution | Unspecified (no clear attribution to a specific actor, but campaign targets Russian-speaking regions). |
| Recommendations | Employ security awareness training, use advanced email filtering, monitor for abnormal registry changes, implement endpoint detection and response (EDR) solutions. |
| Source | Cisco Talos Blog |
Read full article: https://blog.talosintelligence.com/gophish-powerrat-dcrat/
The above summary has been generated by an AI language model
Leave a Reply