rat

An unknown threat actor is targeting German users interested in the Ukraine crisis, infecting them with a custom PowerShell RAT (remote access trojan) and stealing their data.

The malware campaign uses a decoy site to lure users into fake news bulletins that supposedly contain unreleased information about the situation in Ukraine.

These sites offer malicious documents that install a custom RAT that supports remote command execution and file operations.

The campaign was uncovered by threat analysts at Malwarebytes, who have provided all the details and indicators of compromise in their write-up.

Campaign details

The domain used in these attacks is "collaboration-bw[.]de," which the threat actor registered when the domain expired and then cloned the look of the real site.

Real and fake site
Real and fake site (Malwarebytes)

Visitors of the site will find a file called "2022-Q2-Bedrohungslage-Ukraine," promising information about the situation in Ukraine and offered for free download.

The news lure and the download button
The news lure and the download button (Malwarebytes)

The corresponding section on the site claims that the document is constantly updated with new information, so users are urged to get a fresh copy every day.

The downloaded ZIP archive contains a CHM file consisting of several compiled HTML files. If the victim opens it, they are served a bogus error message.

The error message served upon execution
The error message served upon execution (Malwarebytes)

In the background, however, the file triggers PowerShell that runs a Base64 deobfuscator leading to fetching and executing a malicious script from the fake site.

The script that fetches the payload
The script that fetches the payload (Malwarebytes)

The script eventually drops two files onto the victim's computer, the RAT in .txt file form and a .cmd file that helps execute it through PowerShell.

PowerShell RAT

The custom PowerShell RAT that hides in "Status.txt" begins its malicious operation by collecting basic system information and assigning a unique client ID.

This information and anything else stolen from the host computers is exfiltrated to a German domain, "kleinm[.]de".

To bypass Windows AMSI (Anti-malware Scan Interface), the RAT uses an AES-encrypted function named "bypass," decrypted on the fly using a generated key.

Bypass function details
Bypass function details (Malwarebytes)

The main capabilities of the RAT are the following:

  • Download files from the C2 server
  • Upload files to the C2 server
  • Load and execute a PowerShell script
  • Execute a specific command

However, Malwarebytes does not give specific examples of how the threat actor used the RAT and its capabilities in the wild, so the campaign's goals remain unknown.

"It is not easy to attribute this activity to a specific actor, and there are no solid indicators to support attribution," explains Malwarebytes in the report.

"Based on motivation alone, we hypothesize that a Russian threat actor could be targeting German users, but without clear connections in infrastructure or similarities to known TTPs, such attribution is weak."

The critical takeaway is to be cautious with file downloads from the web, as even known and previously trustworthy websites may have quietly changed hands.

When it comes to news sites like this one, offering stories in file format instead of hosting everything on a web page is rarely justified by legitimate reasons, so treat it as a red flag.

Related Articles:

Fake job interviews target developers with new Python backdoor

Firebird RAT creator and seller arrested in the U.S. and Australia

New Bifrost malware for Linux mimics VMware domain for evasion

New Brokewell malware takes over Android devices, steals data

Russian Sandworm hackers targeted 20 critical orgs in Ukraine