Full Report
Cisco Talos recently discovered a phishing campaign using an open-source phishing toolkit called Gophish by an unknown threat actor.
Analysis Summary
# Threat Actor: Unknown Entity Utilizing Gophish, PowerRAT, and DCRAT
## Attribution & Identity
The threat actor is **unknown** and was discovered by Cisco Talos. No specific attribution or persistent naming convention (beyond the tools used) was provided in the source material.
## Activity Summary
The actor is running an active phishing campaign utilizing the open-source Gophish toolkit to deliver modular infection chains. These chains result in the deployment of either PowerRAT (an undocumented PowerShell RAT) or the known DCRAT. The campaign involves either malicious Microsoft Word documents (Maldocs) or HTML-based infections, both requiring user interaction to trigger.
## Tactics, Techniques & Procedures
- **Phishing:** Use of the Gophish framework delivered via email.
- **Initial Access/Execution (Maldoc Vector):** Execution of malicious VB Macros upon enabling content in a Word document.
- **Obfuscation/Steganography:** Hiding base64 encoded data blobs using text color matching the document background on the third page of the Word document.
- **Data Extraction/Decoding:** Custom macro functions (`CheckContent()`) used to find specific strings ("DigitalRSASignature:", "CHECKSUM") and decode the hidden base64 data blob.
- **File Dropping:** Dropping malicious files (`UserCache.ini.hta` and `UserCache.ini` - a PowerShell loader) into the current user profile folder.
- **Persistence Mechanism Abuse:** Hijacking the less commonly used Windows startup registry key `HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LOAD` to execute the dropped HTA file upon user login.
- **Multi-Stage Infection:** HTA execution leads to the dropping and execution of malicious JavaScript, ultimately deploying the RAT payloads (PowerRAT or DCRAT).
- [No specific MITRE ATT&CK IDs were provided in the text.]
## Targeting
- **Sectors:** Not explicitly stated, but the targeting suggests users interacting with Russian-language platforms.
- **Geography:** High confidence assessment that the actor targets **Russian-speaking users** in regions including Russia, Ukraine, Belarus, Kazakhstan, Uzbekistan, and Azerbaijan, based on language and the use of lures related to Vkontakte (VK).
- **Victims:** No specific organizational victims were named.
## Tools & Infrastructure
- **Phishing Framework:** Gophish (Open-Source toolkit).
- **Malware Families Used:**
- PowerRAT (Undocumented PowerShell RAT).
- DCRAT (Remote Access Tool).
- Malicious JavaScript, VBScript (within Macros), and HTA files.
- **Infrastructure (Defanged):**
- Hosting Domain: `disk-yanbex[.]ru`
- Hosting Domain: `e-connection[.]ru`
- Hosting IP/Server: `34[.]236[.]234[.]165` (AWS EC2 instance, reverse resolving to `ec2-34-236-234-165[.]compute-1[.]amazonaws[.]com`). This server hosted the Gophish toolkit on port 3333.
## Implications
This actor demonstrates capability in multi-stage infection chains, including the use of advanced obfuscation techniques (hidden text/decoding) and abusing lesser-known Windows persistence mechanisms (`LOAD` registry key). The introduction of a new, undocumented RAT (PowerRAT) alongside DCRAT suggests active tool development and a desire to maintain diverse offensive capabilities against Russian-speaking targets.
## Mitigations
- Implement robust email filtering and gateway protections to detect and block Gophish-delivered campaigns.
- Educate users regarding enabling content in Microsoft Office documents, as the infection requires user intervention (macro execution).
- Monitor Windows startup locations, specifically investigating unusual entries in the `HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LOAD` registry key.
- Deploy endpoint detection and response (EDR) capable of monitoring complex PowerShell execution and HTA activity.
- Utilize network security solutions to block traffic to associated malicious domains and IPs.