Russian-speaking customers have been targeted in a new campaign aimed at distributing a commodity trojan known as DCRat (aka DarkCrystal RAT) using HTML smuggling.
This is the first time the malware has been propagated via this technique, which differs from past delivery channels such as hijacked or bogus websites, phishing emails with PDF attachments, or macro-laced Microsoft Excel documents.
"HTML smuggling is primarily a payload delivery mechanism," Netskope researcher Nikhil Hegde stated in an analysis published last week. "The payload can be embedded within the HTML itself or retrieved from a remote resource.”
The HTML file, in turn, can be distributed through fraudulent websites or malspam operations. When the file is launched from the victim's web browser, the hidden payload is decrypted and downloaded to the system. The assault subsequently relies on some form of social engineering to persuade the victim to open the malicious payload.
Netskope claims to have identified HTML pages in Russian that, when opened in a web browser, automatically download a password-protected ZIP bundle to disc in an attempt to avoid discovery. The ZIP payload contains a nested RarSFX package, which eventually leads to the DCRat malware deployment.
DCRat, which was first launched in 2018, can be used as a full-fledged backdoor and can be used with various plugins to expand its capabilities. It can run shell commands, record keystrokes, and exfiltrate data and credentials, among other things. Organisations should check HTTP and HTTPS traffic to verify that systems do not communicate with malicious domains.
The development comes as Russian businesses have been targeted by a threat cluster known as Stone Wolf, which tried to infect them with Meduza Stealer by sending phishing emails posing as legitimate providers of industrial automation systems.
"Adversaries continue to use archives with both malicious files and legitimate attachments which serve to distract the victim," BI.ZONE noted. By using the names and data of real organizations, attackers have a greater chance to trick their victims into downloading and opening malicious attachments.”
It also comes after the rise of malicious campaigns that most likely used generative artificial intelligence (GenAI) to write VBScript and JavaScript code used to propagate AsyncRAT via HTML smuggling.
"The scripts' structure, comments and choice of function names and variables were strong clues that the threat actor used GenAI to create the malware," HP Wolf Security stated. "The activity shows how GenAI is accelerating attacks and lowering the bar for cybercriminals to infect endpoints.”