216.73.216.67

DCRAT Impersonating the Colombian Government

· Published 02/07/2025 15:23 · Modified 02/07/2025 16:36

Export JSON

Essential information

Published
02/07/2025 15:23
Modified
02/07/2025 16:36
Tags
2025-07-02 colombia credential harvesting dcrat obfuscation persistence phishing remote access trojan steganography
Related entities
8 observables, 21 techniques (mitre), 1 malware, 2 others

Description

A new email attack distributing , a , has been uncovered. The threat actor impersonates a Colombian government entity to target organizations in . The attack employs multiple evasion techniques, including password-protected archives, , , base64 encoding, and multiple file drops. features a modular architecture, comprehensive surveillance capabilities, information theft functions, system manipulation tools, file and process management, and browser . The attack chain involves a email with a ZIP attachment containing a bat file, which drops an obfuscated vbs file. This file eventually runs a base64-encoded script that downloads and executes the final payload. The RAT employs various mechanisms and anti-analysis techniques. It attempts to bypass Windows Antimalware Scan Interface (AMSI) and continuously tries to connect to its command-and-control server.

External references