PowerShell RAT Detection: Bespoke Malware Used to Fish for War-Related Intelligence

[post-views]
May 19, 2022 · 3 min read
PowerShell RAT

Germany-located users are falling victim to a new malware campaign designed to spread a custom-built PowerShell remote access trojan (RAT). Adversaries set up a decoy site to trick people into taking the bait in a phony newsflash that claims to offer previously unpublished information regarding the situation in Ukraine. Victims are urged to download a document that will provide more information on the matter. This weaponized file installs a custom RAT that enables attackers to perform remote command execution (RCE) on a compromised machine.

As the research data suggest, at the moment, there is not enough evidence to show who exactly is to be culpable for the attacks.

Detect PowerShell RAT

Detect whether your system was compromised with PowerShell RAT by identifying relevant malicious activity with a SIgma-based rule developed by seasoned Threat Bounty Program detection engineer Furkan Celik:

Detect Custom Created Powershell RAT Scheduled Tasks (via security)

The detection is available for the 16 SIEM, EDR & XDR platforms, aligned with the latest MITRE ATT&CK® framework v.10, addressing the Execution tactic with Scheduled Task/Job (T1053) as the main technique.

Established professionals in threat hunting and threat detection are welcomed to contribute to our global crowdsourcing initiative. Hold the defense line against emerging threats and monetize on your advanced cyber skills. Join the SOC Prime Threat Bounty Program and establish a stable income for your detection content — like SIGMA, Yara, and Snort rules.

View Detections Join Threat Bounty

PowerShell RAT Malware Analysis

Malwarebytes researchers have exposed PowerShell RAT, a piece of malware from a likely Russia-backed threat actor that targets users in Germany attempting to obtain war-related intelligence regarding the Ukrainian crisis. In the recent well-planned attack campaign, adversaries set up a bogus website leveraging an expired domain previously used for the governing purposes of the Baden-Württemberg state. Deceived site visitors were tricked into downloading a ZIP archive allegedly containing information on the threat situation in Ukraine for the second quarter of 2022, with regular updates when downloaded. What the offered file contained was a bespoke PowerShell RAT.

The ZIP file includes a CHM file with a number of compiled HTML files. Upon opening it, the victim is shown a bogus error notice. While in the background, the file starts PowerShell, which runs a Base64 deobfuscator before fetching and running a malicious script from the Baden-Württemberg bogus site. Finally, the script drops two files on the compromised machine: a .txt file with the PowerShell-written RAT and a .cmd file allowing PowerShell to launch it. The RAT fetches and uploads files from the C&C server, loads and runs a PowerShell script, and executes a specific command.

Attributing these attacks to Russia-sponsored threat actors would be quite speculative at the moment, but the adversaries’ motivation fits the pattern

Continuously adjusting defenses to outplay adversaries might seem challenging, yet united we stand! Tap into the power of the world’s largest cyber defense community of 23,000+ SOC professionals to augment your security practices with SOC Prime.

Table of Contents

Was this article helpful?

Like and share it with your peers.
Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Related Posts