Threat Analysis: DCRat presence growing in Latin America

Description

Hive0131 is conducting email campaigns targeting users in Colombia with fake electronic notifications of criminal proceedings, purportedly from The Judiciary of Colombia. The campaigns deliver DCRat, a banking trojan operated as Malware-as-a-Service, through embedded links or PDF lures. DCRat's presence has increased in Latin America since 2024. The infection chain involves downloading a loader called VMDetectLoader, which uses process hollowing to inject DCRat into memory. VMDetectLoader can detect virtual machines and create persistence through scheduled tasks or registry keys. DCRat has various capabilities including recording victims, file manipulation, and keystroke logging. IBM X-Force assesses that Latin America will continue facing targeting from actors deploying banking trojans via phishing campaigns.