Unknown threat actors are infecting German users concerned about the Ukraine issue with a bespoke PowerShell RAT (remote access trojan) and collecting their data. A decoy site is used in the malware operation to trick people into clicking on phony news bulletins that claim to offer previously unpublished information regarding the situation in Ukraine.
These websites provide malicious documents that install a bespoke remote administration tool (RAT) that allows remote command execution and file manipulations. Malwarebytes threat analysts discovered the effort and have detailed all of the information and signs of compromise in their report.
The domain exploited in these cyberattacks is “collaboration-bw[.]de.” It was registered when the original domain expired and then cloned to seem like the original. The site’s visitors will find a file titled “2022-Q2-Bedrohungslage-Ukraine,” which promises information regarding the situation in Ukraine and is available for free download. According to the site’s corresponding section, the document is continually updated with new material, so users are encouraged to receive a new copy every day.
A CHM file containing multiple compiled HTML files is included in the downloaded ZIP bundle. If the victim clicks on it, they will be presented with a fake error message. However, in the background, the file invokes PowerShell, which executes a Base64 deobfuscator, then fetches and executes a malicious script from the false site. The script finally dumps two files on the victim’s computer: a .txt file containing the RAT and a .cmd file that allows PowerShell to run it.
The malicious function of the custom PowerShell RAT hidden in “Status.txt” starts with the collection of basic system information and the assignment of a unique client ID. This data, along with everything else taken from the host computers, is sent to a German domain called “kleinm[.]de.”
The RAT employs an AES-encrypted function called “bypass” to bypass Windows AMSI (Anti-malware Scan Interface), which is decrypted on the fly using a generated key. The following are the RAT’s key capabilities:
- Download files from the C2 server
- Load and execute a PowerShell script
- Upload files to the C2 server
- Execute a specific command
The campaign’s intentions are unknown because Malwarebytes does not provide concrete instances of how the threat actor employed the RAT and its capabilities in the wild.
“It is not easy to attribute this activity to a specific actor, and there are no solid indicators to support attribution,” explains Malwarebytes. “Based on motivation alone, we hypothesize that a Russian threat actor could be targeting German users, but without clear connections in infrastructure or similarities to known TTPs, such attribution is weak.”
The critical point is to exercise caution when downloading files from the internet, since even well-known and formerly trusted websites may have discreetly changed ownership. Offering stories in file format instead of presenting everything on a web page is rarely justified by solid grounds on news sites like this one, so consider it a red flag.