Ddos 
In a recent threat intelligence report, the FortiMail Incident Response (IR) team exposed a new email campaign delivering DCRat, a powerful Remote Access Trojan (RAT), by impersonating a Colombian government agency. The attack, designed to compromise organizations in Colombia, employs a deeply obfuscated multi-stage infection chain, combining social engineering, steganography, and base64 encoding to deploy its malicious payload.
“The threat actor uses multiple techniques, such as a password protected archive, obfuscation, steganography, base64 encoding, and multiple file drops, to evade detection,” Fortinet notes. The phishing email, masked as a legitimate government message, lures victims into opening a ZIP archive containing a malicious batch file.
Once executed, this file fetches an obfuscated VBS script from a pastebin-like service, which in turn executes another obfuscated payload hidden within an image file—a textbook example of steganographic delivery.
DCRat is engineered with versatility in mind. According to Fortinet, the RAT exhibits the following core capabilities:
- Modular Architecture – Attackers can add or remove plugins to customize its behavior.
- Comprehensive Surveillance – Enables full control of infected systems, including command execution, user activity monitoring, and payload deployment.
- Credential and File Theft – Targets browser data, documents, screenshots, and user input via keylogging.
- System Manipulation – Capable of rebooting, creating accounts, or hiding UI elements.
- Persistence – Uses scheduled tasks or registry entries to ensure it runs on startup.
- Anti-Analysis Tactics – Includes anti-VM checks, AMSI bypass, and a failsafe BSOD mechanism if detection is imminent.
Fortinet explains:
“If BS_OD…was set to true and the user had administrative privileges, the code would attempt to mark the malware process as a critical system process… terminating such a process would trigger a blue screen of death.”
The attack chain is intricate and layered:
- Stage 1: A BAT file drops a VBS script into the C:\Windows\Temp directory.
- Stage 2: This script decodes a base64-encoded string, yielding another obfuscated PowerShell loader.
- Stage 3: The loader downloads an image containing an embedded .NET executable, which is extracted and run using steganographic techniques.
Fortinet notes, “The base64 string in the reversed URL contains the RAT exe file.”
The final payload—a compiled .NET-based DCRat binary—decrypts AES256-encrypted settings including:
- C2 host: 176.65.144.19
- Port: 8848
- Group: AU
- Mutex: DcRatMutex_qwqdanchun
It then attempts to connect to a command-and-control server in a loop, either using the hardcoded IP or dynamically fetching the address from a remote Pastebin-style URL.
To maintain stealth, the malware calls an Amsi.Bypass function:
“It proceeds to load amsi.dll into memory and retrieves the address of the AmsiScanBuffer function… then attempts to inject a patch… to sabotage or disable AMSI’s ability to detect malicious code.”
Additionally, DCRat manipulates system settings to obstruct administrative recovery:
- Deletes windir from user environment variables
- Disables .msc tools like services.msc
- Disrupts the ms-settings: URI, making system settings inaccessible
The campaign’s targets—Colombian entities—are not coincidental. The attacker’s impersonation of a government institution enhances the believability of the phishing emails. Fortinet summarizes the impact:
“Giving a threat actor direct access to a victim’s machine can result in the theft of sensitive data, system compromise, and significant operational or financial damage.”
Related Posts:
- Beware of “Cheats” and “Cracks”: DCRat Backdoor Lurks on YouTube
- Bypassing Security: DCRat Deployed via HTML Smuggling
- IBM X-Force Uncovers Hive0131’s Sophisticated DCRat Campaign Targeting Colombian Users
- Microsoft Enhances Exchange and SharePoint Security with AMSI Integration
- JavaScript-Based Malware Exploits Steganography for Covert Data Theft
Donate