DCRAT Impersonating the Colombian Government

    Date: 07/02/2025

    Severity: Medium

    Summary

    A recent investigation uncovered a new email-based attack distributing a Remote Access Trojan known as DCRAT. The attacker is posing as a Colombian government entity to target organizations within Colombia. To evade detection, the threat actor employs several techniques, including password-protected archives, obfuscation, steganography, base64 encoding, and multiple file drops.

    Indicators of Compromise (IOC) List 

    URL/Domain

    http://paste.ee/d/jYHEqBJ3/0

    https://paste.ee/d/oAqRiS3g

    https://ia601205.us.archive.org/26/items/new_image_20250430/new_image.jpg

    IP Address

    176.65.144.19

    Hash

    db21cc64fb7a7ed9075c96600b7e7e7007a0df7cb837189c6551010a6f828590
    
    34b8040d3dad4bd9f34738fbc3363fcda819ac479db8497fb857865cee77ad89
    
    b0f3c7ea17875b5e1545678b3878ce268ff4bde718b66254ce01b0bb864801b8
    
    77a22e30e4cc900379fd4b04c707d2dfd174858c8e1ee3f1cbecd4ece1fab3fe

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 : 

    domainname like "http://paste.ee/d/jYHEqBJ3/0" or siteurl like "http://paste.ee/d/jYHEqBJ3/0" or url like "http://paste.ee/d/jYHEqBJ3/0" or domainname like "https://ia601205.us.archive.org/26/items/new_image_20250430/new_image.jpg" or siteurl like "https://ia601205.us.archive.org/26/items/new_image_20250430/new_image.jpg" or url like "https://ia601205.us.archive.org/26/items/new_image_20250430/new_image.jpg" or domainname like "https://paste.ee/d/oAqRiS3g" or siteurl like "https://paste.ee/d/oAqRiS3g" or url like "https://paste.ee/d/oAqRiS3g"

    Detection Query 2 : 

    dstipaddress IN ("176.65.144.19") or srcipaddress IN ("176.65.144.19")

    Detection Query 3 :

    sha256hash IN ("77a22e30e4cc900379fd4b04c707d2dfd174858c8e1ee3f1cbecd4ece1fab3fe","db21cc64fb7a7ed9075c96600b7e7e7007a0df7cb837189c6551010a6f828590","34b8040d3dad4bd9f34738fbc3363fcda819ac479db8497fb857865cee77ad89","b0f3c7ea17875b5e1545678b3878ce268ff4bde718b66254ce01b0bb864801b8")

    Reference:    

    https://www.fortinet.com/blog/threat-research/dcrat-impersonating-the-columbian-government                 


    Tags

    MalwareRATColombiaGovernment Services and FacilitiesDCRAT

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags