Brother
Professional
- Messages
- 2,590
- Reaction score
- 539
- Points
- 113
"The best and cheapest" software aimed at the business of the Russian Federation.
At the end of 2023, F. A. C. C. T. Threat Intelligence specialists discovered a large-scale phishing campaign aimed at Russian companies. The criminal group used the remote access Trojan DarkCrystal RAT to attack various sectors, including marketplaces, banks, IT and construction. The attackers ' goal was to break into internal financial and legal systems, as well as access to client databases and corporate accounts.
According to the company, DarkCrystal RAT went on sale in 2019. Ratnik can take screenshots, intercept keystrokes, and steal various types of data from the system, including bank card data, cookies, passwords, browser history, clipboard contents, and Telegram, Steam, Discord, and FileZilla accounts. The VPO itself is written in C# and has a modular structure
During the analysis of intercepted messages, experts identified a new type of remote access Trojan, called RADX.
Distribution methods
Criminals used various malware distribution schemes. So, in November 2023, attackers sent from the mail sergkovalev@b7s[.] en phishing emails with the subject "Server payment". They contained two types of attachments: "screen of payment for the server.zip" or "payment screen for сервер.pdf.zip". The first archive contained the file "server payment screen.scr", which will install the remote access Trojan DarkCrystal RAT on the victim's computer. In this case, the command center (C2) of the DarkCrystal RAT is the IP address 195.20.16 [.] 116.
The second archive contained the loader "payment screen for сервер.pdf.exe", which installed a previously unknown VPO. During the analysis, the company gave it the name RADX RAT.
In December, a new wave of mailings followed with the topics "Payment confirmation", "Payment failed" and "Agrokombinat GC".
The company found that the attackers sent two different archives with the same name "Payment order No. 24754 of December 4, 2023 г..jpg.zip". I was in the first one .SCR file, in the second one there was an executable EXE, which will also install DarkCrystal RAT.
In the case of emails with the subject "Agrokombinat GC", the attackers delivered a link to a password-protected archive "TZ_Maket_DopInfo.zip":
The second archive contained a "payment screen for сервер.pdf.exe", which should install another malicious program other than DarkCrystal RAT, under the guise of an executable file AppLaunch.exe to the victim's computer.
Threat Intelligence specialists found a family of HPE called RADX RAT on sale on an underground forum. This "warrior" is on sale from October 2023, where it was advertised as “the best and cheapest software for working with remote access and collecting classified information." The price for a weekly Trojan rental with discounts was only 175 rubles, and for a three — month one-475 rubles. The attackers also offered a styler program that steals passwords and other data from the system.
Technical details and indicators of RADX RAT compromise can be found on the F. A. C. C. T. Threat Intelligence blog.
At the end of 2023, F. A. C. C. T. Threat Intelligence specialists discovered a large-scale phishing campaign aimed at Russian companies. The criminal group used the remote access Trojan DarkCrystal RAT to attack various sectors, including marketplaces, banks, IT and construction. The attackers ' goal was to break into internal financial and legal systems, as well as access to client databases and corporate accounts.
According to the company, DarkCrystal RAT went on sale in 2019. Ratnik can take screenshots, intercept keystrokes, and steal various types of data from the system, including bank card data, cookies, passwords, browser history, clipboard contents, and Telegram, Steam, Discord, and FileZilla accounts. The VPO itself is written in C# and has a modular structure
During the analysis of intercepted messages, experts identified a new type of remote access Trojan, called RADX.
Distribution methods
Criminals used various malware distribution schemes. So, in November 2023, attackers sent from the mail sergkovalev@b7s[.] en phishing emails with the subject "Server payment". They contained two types of attachments: "screen of payment for the server.zip" or "payment screen for сервер.pdf.zip". The first archive contained the file "server payment screen.scr", which will install the remote access Trojan DarkCrystal RAT on the victim's computer. In this case, the command center (C2) of the DarkCrystal RAT is the IP address 195.20.16 [.] 116.
The second archive contained the loader "payment screen for сервер.pdf.exe", which installed a previously unknown VPO. During the analysis, the company gave it the name RADX RAT.
In December, a new wave of mailings followed with the topics "Payment confirmation", "Payment failed" and "Agrokombinat GC".
The company found that the attackers sent two different archives with the same name "Payment order No. 24754 of December 4, 2023 г..jpg.zip". I was in the first one .SCR file, in the second one there was an executable EXE, which will also install DarkCrystal RAT.
In the case of emails with the subject "Agrokombinat GC", the attackers delivered a link to a password-protected archive "TZ_Maket_DopInfo.zip":
The second archive contained a "payment screen for сервер.pdf.exe", which should install another malicious program other than DarkCrystal RAT, under the guise of an executable file AppLaunch.exe to the victim's computer.
Threat Intelligence specialists found a family of HPE called RADX RAT on sale on an underground forum. This "warrior" is on sale from October 2023, where it was advertised as “the best and cheapest software for working with remote access and collecting classified information." The price for a weekly Trojan rental with discounts was only 175 rubles, and for a three — month one-475 rubles. The attackers also offered a styler program that steals passwords and other data from the system.
Technical details and indicators of RADX RAT compromise can be found on the F. A. C. C. T. Threat Intelligence blog.
