Date: 07/02/2025
Severity: Medium
Summary
A recent investigation uncovered a new email-based attack distributing a Remote Access Trojan known as DCRAT. The attacker is posing as a Colombian government entity to target organizations within Colombia. To evade detection, the threat actor employs several techniques, including password-protected archives, obfuscation, steganography, base64 encoding, and multiple file drops.
Indicators of Compromise (IOC) List
URL/Domain | http://paste.ee/d/jYHEqBJ3/0 https://paste.ee/d/oAqRiS3g https://ia601205.us.archive.org/26/items/new_image_20250430/new_image.jpg |
IP Address | 176.65.144.19 |
Hash |
db21cc64fb7a7ed9075c96600b7e7e7007a0df7cb837189c6551010a6f828590
34b8040d3dad4bd9f34738fbc3363fcda819ac479db8497fb857865cee77ad89
b0f3c7ea17875b5e1545678b3878ce268ff4bde718b66254ce01b0bb864801b8
77a22e30e4cc900379fd4b04c707d2dfd174858c8e1ee3f1cbecd4ece1fab3fe |
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Detection Query 1 : | domainname like "http://paste.ee/d/jYHEqBJ3/0" or siteurl like "http://paste.ee/d/jYHEqBJ3/0" or url like "http://paste.ee/d/jYHEqBJ3/0" or domainname like "https://ia601205.us.archive.org/26/items/new_image_20250430/new_image.jpg" or siteurl like "https://ia601205.us.archive.org/26/items/new_image_20250430/new_image.jpg" or url like "https://ia601205.us.archive.org/26/items/new_image_20250430/new_image.jpg" or domainname like "https://paste.ee/d/oAqRiS3g" or siteurl like "https://paste.ee/d/oAqRiS3g" or url like "https://paste.ee/d/oAqRiS3g" |
Detection Query 2 : | dstipaddress IN ("176.65.144.19") or srcipaddress IN ("176.65.144.19") |
Detection Query 3 : |
sha256hash IN ("77a22e30e4cc900379fd4b04c707d2dfd174858c8e1ee3f1cbecd4ece1fab3fe","db21cc64fb7a7ed9075c96600b7e7e7007a0df7cb837189c6551010a6f828590","34b8040d3dad4bd9f34738fbc3363fcda819ac479db8497fb857865cee77ad89","b0f3c7ea17875b5e1545678b3878ce268ff4bde718b66254ce01b0bb864801b8") |
Reference:
https://www.fortinet.com/blog/threat-research/dcrat-impersonating-the-columbian-government