HQ/EMEAFind out how we can help your business
A new cyberattack campaign has been discovered that uses HTML smuggling to spread the DCRat (also known as DarkCrystal RAT) malware to Russian-speaking users. This campaign is a change from the malware’s typical methods of distribution, which included phishing emails, hijacked websites, and files like Excel documents with macros included in them.
HTML smuggling, a technique used to deliver malware, allows attackers to embed a malicious payload within an HTML file or retrieve it from a remote location. The file can be delivered through fake websites or malicious emails, commonly referred to as malspam. Once the victim opens the HTML file in their web browser, the hidden payload is decoded and downloaded onto their system. This method often uses social engineering tactics to encourage users to launch the malicious file.
Security researchers have discovered fake HTML pages mimicking well-known Russian platforms like TrueConf and VK. When accessed, these pages automatically download a password-protected ZIP archive to bypass detection mechanisms. Inside this ZIP file is a RarSFX archive, which, when executed, ultimately installs DCRat malware onto the victim’s machine.
DCRat, first released in 2018, is a sophisticated RAT malware that functions as a backdoor into infected systems.
Its capabilities can be extended through plugins, allowing it to execute a variety of malicious activities. These include executing shell commands, logging keystrokes, and exfiltrating files and sensitive credentials.
Experts recommend that organisations monitor their HTTP and HTTPS traffic closely, as this may help identify and block communications with malicious domains. By doing so, they can better protect themselves from becoming targets of these attacks.
This campaign coincides with other malicious activities aimed at Russian organisations. The threat group Stone Wolf has been targeting companies in Russia by distributing the Meduza Stealer malware through phishing emails that appear to come from legitimate industrial automation providers. Attackers have also been observed using a mix of malicious and genuine attachments to confuse and trick victims into downloading harmful files.
Additionally, some of these cyberattacks may be leveraging generative artificial intelligence (GenAI) to create scripts that aid in spreading malware. These AI-generated scripts, used in conjunction with HTML smuggling, are making it easier for cybercriminals to craft sophisticated attacks at a faster rate, lowering the barrier to entry into cybercrime.
The growing sophistication of these tactics highlights the increasing need for businesses to remain vigilant and adopt strong cybersecurity measures to protect against emerging threats.
