Cyber security news for all

More

    HTML Smuggling Tactic Unleashes DCRat Malware on Russian-Speaking Users

    A wave of malicious activity has recently set its sights on Russian-speaking individuals, distributing the notorious commodity trojan DCRat (also known as DarkCrystal RAT) through an advanced technique coined as HTML smuggling.

    This marks a significant shift in the deployment strategies for the malware, which had previously relied on conventional vectors such as compromised websites, counterfeit portals, or phishing schemes embedded with PDF files or Excel documents containing dangerous macros.

    “HTML smuggling serves as a novel mechanism for delivering payloads,” explained Nikhil Hegde, a researcher at Netskope, in an analysis released Thursday. “The malware can either be embedded directly within the HTML structure or fetched from a remote host.”

    This sinister HTML file can be delivered via fraudulent websites or malicious email campaigns, commonly referred to as malspam. When triggered by the unsuspecting user’s browser, the malicious payload is covertly decoded and surreptitiously downloaded onto the targeted system.

    The success of the attack hinges heavily on social engineering techniques to entice the victim into executing the nefarious payload.

    Netskope’s investigation uncovered HTML pages designed to imitate Russian-language platforms like TrueConf and VK. When opened, these deceptive pages automatically drop a password-protected ZIP file onto the victim’s computer, aimed at slipping under the radar of detection tools. Inside the ZIP lies a RarSFX archive, which, when unpacked, eventually installs the DCRat malware.

    DCRat, initially introduced in 2018, is a multi-faceted backdoor that can be enhanced with plugins to increase its capabilities. It can run shell commands, capture keystrokes, siphon files, and steal login credentials, among other functionalities.

    To defend against this threat, organizations are advised to scrutinize HTTP and HTTPS traffic and ensure that their systems are not interacting with suspicious domains.

    This development comes amid a broader wave of attacks targeting Russian businesses, notably from a threat group dubbed Stone Wolf. This cluster has been distributing Meduza Stealer through phishing emails that impersonate legitimate industrial automation vendors.

    “Threat actors continue to bundle malicious files alongside legitimate-looking attachments, effectively diverting the victim’s attention,” warned BI.ZONE. By leveraging the names and branding of real companies, cybercriminals are enhancing their chances of deceiving their targets into downloading and executing harmful attachments.

    Adding to the threat landscape, there are growing indications that cybercriminals have started employing generative artificial intelligence (GenAI) to craft VBScript and JavaScript code, which is used to disseminate the AsyncRAT malware through HTML smuggling techniques.

    “The structure of the scripts, including comments and the choice of function names and variables, strongly suggests that GenAI was used to develop this malware,” noted HP Wolf Security. “This trend demonstrates how GenAI is accelerating cyberattacks, reducing the skill threshold required for hackers to compromise systems.”

    Recent Articles

    Related Stories