A sophisticated email-based attack distributing a Remote Access Trojan (RAT) known as DCRat has been recently identified by the FortiMail IR team, specifically targeting organizations in Colombia.
The campaign, impersonating a Colombian government entity, leverages advanced evasion techniques to compromise Microsoft Windows systems.
With a high severity level, this threat aims to control infected devices and harvest sensitive information, posing significant risks to impacted users.
New Phishing Campaign Uncovered in Colombia
The attack chain involves phishing emails with malicious attachments that, once executed, initiate a multi-stage payload delivery process designed to bypass detection and establish persistent access for the threat actor.
The attack begins with a phishing email, often placing the recipient in the BCC field to obscure the distribution list, containing a password-protected ZIP archive.
Inside, a .bat file triggers the download of an obfuscated VBS script from a pastebin-like website to the C:\Windows\Temp directory.
Fortinet reports this script, laden with junk code and obfuscation, executes a base64-encoded payload that ultimately retrieves a hidden .NET library embedded in an image file via steganography.
Technical Breakdown of DCRat’s Capabilities
The final stage involves downloading an executable RAT file from a reversed URL to C:\Users\Public\Downloads, which is then decrypted using a hardcoded AES256 key.
DCRat’s modular architecture allows attackers to customize its behavior with plugins for specific malicious activities.
Its comprehensive capabilities include remote system control, file and process management, browser data harvesting, credential theft, keylogging, and screenshot capture.
Additionally, it can manipulate system settings such as rebooting, changing wallpapers, or creating accounts and employs anti-analysis techniques like mutex creation and process termination to evade detection.
If configured, it can even mark itself as a critical process to trigger a Blue Screen of Death upon termination under administrative privileges.
For persistence, DCRat either schedules tasks via schtasks or sets registry entries under HKCU\Software\Microsoft\Windows\CurrentVersion\Run.
It also disables Windows Antimalware Scan Interface (AMSI) by patching memory buffers and enters an infinite loop to maintain connection with its command-and-control (C2) server at 176.65.144.19:8848, ensuring continuous communication for further exploitation.
The impact of such an infection is profound, enabling attackers to steal sensitive data, disrupt operations, and cause financial damage through direct access to compromised systems.
Fortinet’s protections, including FortiMail, FortiGate, FortiClient, and FortiEDR, detect and block this malware as MSIL/Agent.CFQ!tr through the FortiGuard Antivirus service.
Additionally, FortiGuard CDR disarms malicious content, while IP Reputation and Anti-Botnet services proactively mitigate related threats.
Organizations are urged to leverage Fortinet’s free NSE training to educate users on phishing prevention and to contact the Global FortiGuard Incident Response Team if impacted.
Indicators of Compromise (IOCs)
| Type | Value |
|---|---|
| URL | hxxp[:]//paste[.]ee/d/jYHEqBJ3/0 |
| URL | hxxps[:]//paste[.]ee/d/oAqRiS3g |
| URL | hxxps[:]//ia601205[.]us[.]archive[.]org/26/items/new_image_20250430/new_image[.]jpg |
| ZIP SHA-256 | db21cc64fb7a7ed9075c96600b7e7e7007a0df7cb837189c6551010a6f828590 |
| BAT SHA-256 | 34b8040d3dad4bd9f34738fbc3363fcda819ac479db8497fb857865cee77ad89 |
| VBS SHA-256 | b0f3c7ea17875b5e1545678b3878ce268ff4bde718b66254ce01b0bb864801b8 |
| EXE SHA-256 | 77a22e30e4cc900379fd4b04c707d2dfd174858c8e1ee3f1cbecd4ece1fab3fe |
| C2 Address | 176[.]65[.]144[.]19[:]8848 |
Exclusive Webinar Alert: Harnessing Intel® Processor Innovations for Advanced API Security – Register for Free
