Phishing Campaign Targeting Companies via UpCrypter

Description

A sophisticated phishing campaign has been identified, utilizing carefully crafted emails to deliver malicious URLs linked to convincing phishing pages. These pages entice recipients to download JavaScript files that act as droppers for UpCrypter, a malware that ultimately deploys various remote access tools (RATs). The attack chain begins with obfuscated scripts redirecting victims to spoofed sites personalized with the target's email domain. The campaign uses different lures, including voicemail-themed and purchase order-themed emails. UpCrypter, the central loader framework, stages and deploys multiple RATs, including PureHVNC, DCRat, and Babylon RAT. The malware employs anti-VM and anti-analysis techniques, downloads additional payloads, and establishes persistence. This campaign operates globally, affecting multiple industries, and demonstrates an adaptable threat delivery ecosystem capable of bypassing defenses and maintaining persistence across different environments.