Science & Technology News

2024-01-18 14:13:46+00:00

New cyber threats - F.A.C.C.T experts

At the end of 2023, F.A.C.C.T. Threat Intelligence has detected several phishing emails from a criminal group that uses the DarkCrystal RAT remote trojan to attack Russian companies. Among their targets were marketplaces, retail chains, banks, IT companies, telecommunications and construction companies.

DarkCrystal RAT is a remote access Trojan that went on sale in 2019. “Ratnik” can take screenshots, intercept keystrokes and steal various types of data from the system, including bank card data, cookies, passwords, browser history, clipboard contents and Telegram, Steam, Discord, FileZilla accounts. The malware itself is written in C# and has a modular structure.

If successful, attackers could gain access to internal financial and legal documents of companies, client databases, accounts from email services and instant messengers. However, the F.A.C.C.T. protection system against complex and unknown cyber threats. Managed XDR intercepted and blocked all phishing emails sent to our clients' email addresses.

Experts analyzed the contents of the mailings and discovered a new remote access Trojan - RADX. Anton Baranov, Threat Intelligence analyst at F.A.C.C.T., told us more about it in a new blog. and Dmitry Kupin, head of dynamic malware analysis department at F.A.C.C.T.

Let us briefly tell you how events developed. In November 2023, attackers sent phishing emails with the subject “Server payment” from sergkovalev@b7s[.]ru. They contained two types of attachments: “payment screen for the server.zip” or “payment screen for the server.pdf.zip.” The first archive contained the file “server payment screen.scr”, which will install the DarkCrystal RAT remote access trojan on the victim’s computer. In this case, the command center (C2) of the DarkCrystal RAT is the IP address 195.20.16[.]116.

The second archive contained the “server payment screen.pdf.exe” loader, which installed malware previously unknown to us. During the analysis, we gave it the name RADX RAT.

Analyzing similar samples belonging to this family found on VirusTotal, we were able to find ASCII art “RAD-X” in one of them:

A RADX authorization form was also found:

Threat Intelligence specialists found the family of malware, called RADX RAT, for sale on an underground forum. This “warrior” has been on sale since October 2023 and is advertised as follows: “the best SOFTWARE for working with remote access and collecting secret information.”

By the way, the attackers also position RADX as the “cheapest RAT” and offered it at New Year’s discounts with a stealer program in addition. Thus, a weekly rental of RADX with discounts costs only 175 rubles per month, and a three-month rental costs 475 rubles.

Technical analysis of the RADX Trojan, including indicators of compromise and a complete breakdown of MITER ATT&CK - in our blog.

bbabo.Net

Real Madrid lose La Liga top scorer against Barcelona
Real Madrid have lost French striker Karim Benzema before the match against Barcelona in the Spanish
A threat to Zhumagulov? 21-year-old UFC debutant finished the opponent in a minute
21-year-old UFC debutant Muhammad Mokaev (7-0-1) had his first fight in the famous MMA promotion
The fight of the world champion who ran away from Alimkhanuly was officially announced
Frank Warren's promotional company has officially announced its boxing night, which will take place on May 21 at the 30
Lithuania responded to accusations of attempts to attack Belarus with drones
Belarus (bbabo.net), - The drone attack on Belarus by Lithuania is “disinformation

Science & Technology News

New cyber threats - F.A.C.C.T experts

Real Madrid lose La Liga top scorer against Barcelona

A threat to Zhumagulov? 21-year-old UFC debutant finished the opponent in a minute

The fight of the world champion who ran away from Alimkhanuly was officially announced

Lithuania responded to accusations of attempts to attack Belarus with drones