Full Report
FortiGuard Labs uncovers a phishing campaign using fake emails and UpCrypter malware to deliver RATs like PureHVNC and DCRat across industries.
Analysis Summary
# Phishing Campaign Targeting Companies via UpCrypter
A phishing campaign has been identified by FortiGuard Labs, leveraging carefully crafted emails to deliver malicious URLs linked to convincing phishing pages. These pages are designed to entice recipients into downloading JavaScript files that act as droppers for UpCrypter, malware that ultimately deploys various remote access tools (RATs).
## Key Points
- The campaign uses different topics for variants of this phishing email.
- Phishing emails include fake voicemails and purchase orders with malicious attachments.
- The attack chain begins with a small, obfuscated script that redirects victims to a spoofed site personalized with the target’s email domain.
- UpCrypter is a JavaScript file that grabs the current script's full path, creates a Shell.Application object, and sets "gjxkd" to "powershell."
- Fortinet products such as FortiGate, FortiMail, FortiClient, and FortiEDR support the FortiGuard AntiVirus service.
## Threat Actors
- Not specified in the article.
- However, the UpCrypter malware is associated with groups/campaigns that deploy remote access tools (RATs).
## TTPs
- Phishing emails are sent using different topics to lure victims.
- The attack chain includes a small, obfuscated script that redirects victims to a spoofed site personalized with the target’s email domain.
- UpCrypter is delivered via JavaScript files that act as droppers for RATs.
## Affected Systems
- Microsoft Windows
## Mitigations
- Fortinet products such as FortiGate, FortiMail, FortiClient, and FortiEDR support the FortiGuard AntiVirus service.
- Organizations can complete Fortinet’s free training module, Fortinet Certified Fundamentals (FCF) in Cybersecurity to learn how to identify and protect themselves from phishing attacks.
## Conclusion
The phishing campaign targeting companies via UpCrypter delivers malicious URLs linked to convincing phishing pages. UpCrypter is a JavaScript file that deploys various remote access tools (RATs). Fortinet products support the FortiGuard AntiVirus service, which can help block these attacks.