Back

DarkCrystal RAT Cyber Attacks Targeting Government Officials in Ukraine

June 6, 2024, 8:35 a.m.

Tags

rat
ukraine
cyber
2024-06-06
darkcrystal rat
darkcrystal
targeted

External References

https://cert.gov.ua/

https://otx.alienvault.com/

Description

This intelligence document outlines targeted cyber attacks against government officials, military personnel, and defense industry representatives in Ukraine using the DarkCrystal RAT malware. The malware is distributed through the Signal messaging app, disguised as messages from existing contacts or group members. The attack involves sending an archive with a password and instructions to open the file on the victim's computer. The archive contains an executable file that is a RARSFX archive, which in turn contains malicious VBE, BAT, and EXE files that infect the system with DarkCrystal RAT, enabling unauthorized remote access. The report highlights the trend of increasing cyber attacks using messaging apps and compromised legitimate accounts, enticing victims to open files on their computers.

Date

Published Created Modified
June 6, 2024, 8:02 a.m. June 6, 2024, 8:02 a.m. June 6, 2024, 8:35 a.m.

Indicators

f59e4490a26c421b7d01d05193de927c773b9cbd6cbd91903b422a903ec301a1

f26ec43245406c30cc5efb7ad6d8e9018117919c4a03cec2972520e526db3b0c

d0d6c1f07382ca03866fc3ca198efa8e4a777ecd7ccdc517a4b6ddb7d2d1245e

ef6cd2c75b3370d1bcc95beb573ad09861e0ed22b2becc1c16cfff88dae5a157

b60ac68e278045aadb9ec3196327a90efebf8b48bbe7819c6bf0f5a4678efd62

8cc204cdd79c811b2d48d878f4cbfcc2e4db88bfaa17bf2c13351e338f8547b3

a7f896b2a2433fd178afffba59ace1c27ec4b4fa20ecc59ee7da7c96314c6b09

6bdd44d7b55d47ebd1a00fec6cfda0506efbacbe05022dada9c9dccb5d60909f

3ad5473cee7a16bddce171e42b2dbb42caf1bdfbf8f2ef280d956a9940500520

224e71eea37f1353ea8ee0fef0a513d7f0577dcec3241d6710ad249715a269c7

1418111224c143fba191efa1fe1a1c4a653b951e4bb07f6fd0b7782631571b93

02d657729837838d18bbe6b4bae44cab0e6d3a357836d7cd6a9bb7288543facb

188.245.50.32

http://188.245.50.32/VideocentralLocal/PublicdownloadsWp/python4RequestRequest/Javascript8Geovoiddb/pipepacketServer/cdn/18/_auth/ToBigloadPublic/dump/VideoPipephpHttpServerlinuxPublic.php

Attack Patterns

DarkCrystal RAT

T1053.001

T1021.006

T1589.001

T1003.001

T1021.001

T1053.005

T1573.002

T1059.003

T1071.001

T1204.002

T1105

T1566.001

T1570

T1219

T1027

Additional Informations

Defense

Government

Ukraine