Gophish Framework Used in Phishing Campaigns to Deploy Remote Access Trojans

Description

A new phishing campaign targeting Russian-speaking users employs the open-source Gophish framework to deliver DarkCrystal RAT and a novel remote access trojan called PowerRAT. The attack utilizes modular infection chains, either through malicious Microsoft Word documents or HTML files with embedded JavaScript. The campaign exploits Gophish to send phishing emails and deploy the malware. The infection process involves multiple stages, including the use of Visual Basic macros, HTML applications, and PowerShell scripts. Both PowerRAT and DCRat have capabilities for system reconnaissance, data exfiltration, and remote control. The attackers use various techniques to evade detection, such as HTML smuggling and nested self-extracting archives.