Russian-speaking users have become the target of a new campaign to distribute a commercial Trojan named DCRat (aka DarkCrystal RAT) using a technique known as Contraband HTML.
This development marks the first time malware has been deployed using this method, a departure from previously observed delivery vectors such as compromised or spoofed websites or phishing emails with PDF attachments or Microsoft Excel documents with macro firmware.
“HTML smuggling is primarily a payload delivery mechanism,” – Nikhil Hegde, researcher at Netskope said in an analysis published Thursday. “The payload can be embedded in the HTML itself or retrieved from a remote resource.”
The HTML file, in turn, can be distributed through fake sites or spam campaigns. Once the file is run through the victim’s web browser, the hidden payload is decoded and downloaded to the machine.
The attack then uses some level of social engineering to convince the victim to open the malicious payload.
Netskope said it discovered HTML pages mimicking TrueConf and VK in Russian that, when opened in a web browser, automatically download a password-protected ZIP archive to disk in an attempt to avoid detection. The ZIP payload contains an embedded RarSFX archive that eventually leads to the deployment of the DCRat malware.
First released in 2018, DCRat is capable of functioning as a full-fledged backdoor that can be combined with additional plugins to extend its functionality. It can execute shell commands, record keystrokes, and select files and credentials, among other things.
Organizations are encouraged to review HTTP and HTTPS traffic to ensure systems are not interacting with malicious domains.
This happened at a time when Russian companies were targeted by a threat cluster called “Stone Wolf” which infected them Jellyfish stealer by sending phishing emails pretending to be a legitimate industrial automation solutions provider.
“Adversaries continue to use archives with both malicious files and legitimate attachments that distract the victim” — BI.ZONE said. By using the names and details of real organizations, attackers have a better chance of getting victims to download and open malicious attachments.”
It also follows the emergence of malicious companies that likely used Generative Artificial Intelligence (GenAI) to write the VBScript and JavaScript code responsible for spreading AsyncRAT via HTML smuggling.
“The structure of the scripts, the comments, and the choice of function and variable names were strong clues that the threat actor used GenAI to create the malware,” HP Wolf Security said. said. “These actions show how GenAI is accelerating attacks and lowering the bar for cybercriminals to infect endpoints.”
