New campaign targets Russian-speaking users with DCRat. Russian-speaking users have become the focus of a new campaign distributing a commodity trojan known as DCRat (or DarkCrystal RAT) through a technique called HTML smuggling. This marks a significant shift in malware delivery methods.

The Shift to HTML Smuggling

Previously, attackers relied on compromised websites, phishing emails, or malicious PDF attachments. Now, HTML smuggling has emerged as a novel approach. According to Netskope researcher Nikhil Hegde, “HTML smuggling is primarily a payload delivery mechanism.” This technique allows the malware to be embedded directly within the HTML or retrieved from a remote resource.

How the Attack Works

Once attackers craft an HTML file, they can propagate it through fake websites or spam emails. When a victim opens this file in their web browser, the concealed payload is decoded and downloaded onto their machine. At this point, social engineering plays a crucial role in persuading the victim to execute the malicious payload.

Deceptive Tactics Uncovered

Netskope’s research revealed HTML pages that mimic legitimate services like TrueConf and VK in Russian. When victims open these pages, they automatically download a password-protected ZIP archive designed to evade detection. This archive contains a nested RarSFX file, ultimately leading to the installation of the DCRat malware.

First released in 2018, DCRat functions as a full-fledged backdoor. It boasts capabilities such as executing shell commands, logging keystrokes, and exfiltrating files and credentials, among other functions.

Recommendations for Organizations

Organizations should actively review their HTTP and HTTPS traffic to ensure their systems are not communicating with malicious domains. This proactive measure is essential for safeguarding sensitive information and preventing infections.

The Broader Threat Landscape

This campaign occurs amid a wider threat cluster dubbed Stone Wolf, which targets Russian companies. Attackers have been using phishing emails that impersonate legitimate providers of industrial automation solutions to spread Meduza Stealer. As BI.ZONE notes, “Adversaries continue to use archives with both malicious files and legitimate attachments to distract the victim.” By leveraging the names and data of real organizations, attackers significantly increase their chances of success.

The Role of Generative AI in Cyber Attacks

Additionally, recent campaigns appear to leverage generative artificial intelligence (GenAI) to craft VBScript and JavaScript code for spreading AsyncRAT through HTML smuggling. HP Wolf Security noted that “the scripts’ structure, comments, and choice of function names and variables were strong clues that the threat actor used GenAI to create the malware.” This development illustrates how GenAI is accelerating attacks and lowering the barriers for cybercriminals aiming to infect endpoints.

In summary, as these threats evolve, it becomes increasingly vital for individuals and organizations to stay vigilant and implement effective security measures.

Read also: Android Telegram users hit by zero-day exploit.