One Article Review
| Source |  RiskIQ |
|---|---|
| Identifiant | 8590706 |
| Date de publication | 2024-10-02 20:08:02 (vue: 2024-10-02 20:18:09) |
| Titre | DCRat Targets Users with HTML Smuggling |
| Texte | ## Snapshot Netskope researchers discovered a campaign targeting Russian-speaking users with DCRat delivered through HTML smuggling, a technique not previously observed for deploying this malware. ## Description DCRat, also known as Dark Crystal RAT, is a modular remote access Trojan that has been offered as malware-as-a-service since 2018. It is capable of executing shell commands, logging keystrokes, and exfiltrating files and credentials. HTML smuggling involves embedding a payload within HTML or retrieving it from a remote resource, often obfuscated to bypass security measures. Once rendered in the browser, the payload is transformed into its original form and written to disk, sometimes requiring user interaction. The threat actor used fake HTML pages impersonating TrueConf and VK Messenger, which downloaded a password-protected ZIP archive containing the malware. The password "2024" was provided on the HTML page. The ZIP file contained a RarSFX archive with a batch file and another password-protected RarSFX archive, which executed the DCRat payload. The DCRat executables were packed with ENIGMA and VMProtect and had a compilation timestamp of May 4, 2022, indicating reuse of older builds. The use of password protection is a tactic to evade detection, as security tools cannot access the password to examine the payload. The nested RarSFX archives technique was used to bypass the need for user-supplied passwords, but the initial ZIP file still required a password, which was provided on the HTML page. This approach was effective in evading detection mechanisms. ## Microsoft Analysis Microsoft security researchers observed a shift from HTML smuggling used to deploy banking trojans to launch remote access trojans (RAT) through open-source intelligence (OSINT) community signals showing an uptick in HTML smuggling RAT campaigns, such as AsyncRAT/NJRAT, in late June 2021. After further research and analysis, Microsoft alerted the community over social media on July 23. HTML smuggling uses legitimate features of HTML5 and JavaScript – supported by all modern browsers – to generate malicious HTML behind the firewall. While disabling JavaScript could mitigate the threat, JavaScript must remain in operation to render legitimate business and other non-malicious web pages. Another option involves developing signatures for content inspection to detect implementations of HTML smuggling. However, due to obfuscation and other JavaScript techniques, HTML smuggling could be coded in an unlimited number of ways. ## Recommendations Apply these mitigations to reduce the impact of this threat. Check the recommendations card for the deployment status of monitored mitigations: - Prevent JavaScripts from launching automatically by changing file associations for .js and .jse files. - Create new Open With Parameters in the Group Policy Management Console under User Configuration > Preferences > Control Panel Settings > Folder Options. - Create parameters for .jse and .js file extensions, associating them with notepad.exe or another text editor. - Check your perimeter firewall and proxy to restrict servers from making arbitrary connections to the internet to browse or download files. Such restrictions help inhibit malware downloads and command-and-control (C2) activity, including mobile devices. - Encourage users to use Microsoft Edge and other web browsers that support SmartScreen, which identifies and blocks malicious websites, including phishing sites, scam sites, and sites that contain exploits and host malware. Turn on network protection to block connections to malicious domains and IP addresses. - Only install apps from trusted sources, such as the software platform\'s official app store. Third-party sources might have lax standards for hosted applications, making it easier for malicious actors to upload and distribute malware. - Turn on [cloud-delivered protection](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/enabl |
| Notes | ★★ |
| Envoyé | Oui |
| Condensat | ### ##### **© *image 1984 2018 2021 2022 2024 2024** 365 365/security/defender 365/security/intelligence/prevent 365/security/office 3c5ae7fc 4a86 78ed 8ef967292d54 9af1 9fb6 about about accept access accessed accounts acquired activity actor actors addresses admin advanced adverse after against age alerted all also analysis another antivirus any app application applications apply approach apps arbitrary archive archives artificial assess asset associated associating associations asyncrat/njrat atp/attack attack audit auto automatic automatically available azureedge b2d7 b5e0412c556a backdoor:win32/dcrat banking batch become been before behind below: block blocking blocks browse browser browsers builds business but bypass campaign campaigns can cannot capabilities capable card centralized changing check click client cloud coded com/blog/dcrat com/en com/intel com/microsoft com/windows/security/threat com/windows/update command commands community compilation components: configuration configure connections console contain contained containing content control control/select copyright could coverage create creation credential credentials criterion crystal dark date dcrat defender defender* delete delivered deploy deploying deployment description details detect detection detects determine detonation developing devices disabling discovered disk distribute distribution domain domains download downloaded downloads due easier edge editor educate effective efficient email emails embedding enabling encourage encyclopedia end endpoint/attack endpoint/deploy endpoint/enable enhanced enigma ensure enterprise evade evading event examine exe executable executables executed executing execution exfiltrating exploits explorer/articles/byexternalid/506a0cff49071d55a6e14b5f687c9a57492d8750e089f1f71b5bbc7cb26ce5d3 extensions fake features file files filtering firewall folder following following forensics form from further generate global good group had has have help host hosted hour how however html html5 https://cdn https://learn https://security https://support https://www hygiene identifies identify image impact impersonating implementations incident including indicating infection infections inhibit initial initiated injection inspection install intelligence interaction internet inventories involves its javascript javascripts jse july june keystrokes known late latest launch launching lax learndoc learning legitimate limit links list local logging machine macro mail maintain making malicious malware malwarethreat management may measures mechanisms media meet messenger microsoft might mitigate mitigations mitigations: mobile mode modern modular monitored mtb must name=backdoor:win32/dcrat name=trojan:msil/dcrat name=trojan:win32/leonem need nested net/5042d3f5 netskope network new newly non not notepad number obfuscated obfuscation observed ocid=magicti offered office official often older once only on open opening operating operation option options original osint other over packed page pages pane panel parameters part party password passwords payload percentage perimeter permission phishing platform policies policy polymorphic potentially practice preferences prevalence prevent preventing previously privileges process productivity prohibited propagation protected protection protection/microsoft protection/windows provided proxy purge quickly rarsfx rat ready recheck recommendation recommendations reduce reduction references remain remote render rendered reproduction required requiring research researchers reserved resource response restrict restrictions retrieving reuse rights riq rule rules run running russian sample scam screenshot scripts security security/anti security/safe security/zero see sent servers service services settings shell shift showing signals signatures since site sites smartscreen smuggling snapshot social software sometimes soon source sources spam speaking spoofed standards status stifle stop store submission such supplied support supported surface systems tactic targeting targets technique techniques text t |
| Tags | Spam Malware Tool Vulnerability Threat Mobile |
| Stories | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.