If you’re an avid follower of cybersecurity developments, then you’ll love this piece we’re sharing today. A fascinating tale from the front lines of cybersecurity, originally shared by our friends over at eSentire, it tells of new threats, relentless vigilance, and the battles that never cease in the fight to protect our digital world.
All credit goes to the experts at eSentire for their diligent investigation and insightful analysis.
Night or Day, the Battle Rages On
In the digital landscape, threats don’t adhere to regular working hours, and neither do the heroes at eSentire. Their Security Operations Centers (SOCs) work tirelessly, manned by Threat Hunters and Cyber Analysts who are always ready to hunt down, investigate, and respond to threats – often within mere minutes.
They’re responsible for unearthing some of the most formidable threats and nation-state attacks in cyberspace, including the infamous Kaseya MSP breach and the notorious more_eggs malware. Powering their operations are the combined efforts of Threat Intelligence, Tactical Threat Response, and Advanced Threat Analytics – all orchestrated by the dedicated Threat Response Unit (TRU) team.
TRU Positives: Tales from the Trenches
In their series titled “TRU Positives,” eSentire’s TRU provides a detailed account of recent threat investigations, the actions they took, and their recommendations moving forward. Today, we’re bringing you one of their latest findings.
Meet DcRAT
Back in May 2023, the team at eSentire identified DcRAT, a clone of AsyncRAT, in a consumer services customer environment. With its capabilities for info-stealing and ransomware, DcRAT poses a significant threat. Currently, it’s being disseminated using explicit lures related to OnlyFans pages and other adult content.
The victims are tricked into downloading Zip files carrying a VBScript loader, which they then manually execute. The file names suggest that the victims are enticed with explicit photos or OnlyFans content from various adult film actresses.
eSentire couldn’t pinpoint how victims received the Zip file in the May case due to telemetry limitations. However, an analysis of samples submitted to VirusTotal showed that this activity can be traced back to January 2023, with the most recent samples submitted on June 4, 2023.
The Technical Details
The VBScript loader used here (MD5 43876a44cc7736ff6432cb5d14c844fe) is a slightly modified version of a VBScript file analyzed by Splunk in 2021. The original printer-related Windows script was manipulated to include the loader, keeping the overall functionality largely the same.
The payload, dynwrapx.dll, and shellcode are embedded in the file, hex encoded, reversed, and interspersed with meaningless characters. These strings are reversed and the extraneous characters replaced during runtime.
When it comes to the payload, in the observed instances, it was DcRAT, injected into RegAsm.exe. This Remote Access Tool is a modified version of the popular AsyncRAT, the code for which is available on GitHub. However, the creator chose to archive it in February 2022 due to “abuse.”
Distinguishing DcRAT from AsyncRAT
DcRAT can easily be mistaken for AsyncRAT by antivirus software or malware sandboxes due to their shared codebase. You can, however, identify DcRAT by examining the PBKDF2 salt value using a tool like dnSpy, looking at the decrypted configuration where the mutex contains DCstringRatMutexqwqdan3chun, or by analyzing the X509Certificate.
Learning from This Case
This case underscores several key insights:
- Both low-skilled and sophisticated actors often adopt open-source security tools and malware.
- Lures related to adult content decrease the likelihood of victims self-reporting.
- DcRAT provides multiple methods for monetizing infected systems, including file stealing, credential theft, and ransomware.
- RATs like DcRAT and AsyncRAT, while freely available, can be potent tools for fraud, initial access, or ransomware when coupled with a crypter or loader that can evade defenses.
- Public samples linked to this activity date back to January 2023 and haven’t significantly changed, suggesting that the operators, using free malware and a publicly known VBS loader, have likely seen some success over this six-month period.
eSentire’s TRU team recommends training users to identify and report potentially malicious content, restricting the execution of script files such as .vbs, creating new “Open With” parameters for script files to open with notepad.exe, and configuring Attack Surface Reduction rules to block JavaScript or VBScript from launching downloaded executable content. In addition, ensuring antivirus signatures are up-to-date and using a Next-Gen AV (NGAV) or Endpoint Detection and Response (EDR) tool can help protect against malware.
Thank you to eSentire for sharing this gripping tale from the cybersecurity front lines. As we cover these stories, we hope to promote better understanding and awareness of cybersecurity threats and measures. Stay tuned for more updates, and until then, stay cyber safe.
