We Smell a (DC)Rat: Revealing a Sophisticated Malware Delivery Chain

The Acronis Threat Research Unit (TRU) was presented with an interesting threat chain and malware sample for analysis that involved a known cyberthreat along with some interesting twists in targeting and obfuscation. In this article, we’ll dissect the complex malware delivery chain and tactics. The focus will be on a multi-stage infection process involving Visual Basic Script (VBS), a batch file, and a PowerShell script, ultimately leading to the deployment of high-profile malware like DCRat or Rhadamanthys infostealer. Initial Infection: The Deceptive Email Attachment The infection begins with a seemingly innocuous email. The message contains a RAR archive attachment, cleverly named “Citación por embargo de cuenta,” which translates to “Summons for account garnishment.” This filename is designed to evoke immediate concern and prompt Spanish-speaking recipients to open the attachment. Once the RAR archive is extracted, it reveals a Visual Basic script (VBS) file. When executed, th ... Read full article.