Today > | 1 Medium vulnerabilities   -   You can now download lists of IOCs here!

Gophish Framework Used in Phishing Campaigns to Deploy Remote Access Trojans

Oct. 23, 2024, 8:49 a.m.

Description

A new phishing campaign targeting Russian-speaking users employs the open-source Gophish framework to deliver DarkCrystal RAT and a novel remote access trojan called PowerRAT. The attack utilizes modular infection chains, either through malicious Microsoft Word documents or HTML files with embedded JavaScript. The campaign exploits Gophish to send phishing emails and deploy the malware. The infection process involves multiple stages, including the use of Visual Basic macros, HTML applications, and PowerShell scripts. Both PowerRAT and DCRat have capabilities for system reconnaissance, data exfiltration, and remote control. The attackers use various techniques to evade detection, such as HTML smuggling and nested self-extracting archives.

Date

Published: Oct. 22, 2024, 9:56 p.m.

Created: Oct. 22, 2024, 9:56 p.m.

Modified: Oct. 23, 2024, 8:49 a.m.

Indicators

5.252.176.55

94.103.85.47

Attack Patterns

PowerRAT

DarkCrystal RAT

DCRat

T1120

T1059.001

T1547.001

T1059.007

T1056.001

T1113

T1105

T1055

T1204

T1140

T1053

T1041

T1566

Additional Informations

Russian Federation