DCRAT Attack Windows to Remotely Control, Keylogging, Screen Capture and Steal Personal Files

A sophisticated Remote Access Trojan (RAT) campaign targeting Colombian organizations has emerged, employing advanced evasion techniques to establish persistent remote control over Windows systems.

The malware, identified as DCRAT, represents a significant escalation in cyber threats against Latin American entities, utilizing government impersonation tactics to deceive victims into executing malicious payloads.

The attack campaign leverages carefully crafted phishing emails that impersonate Colombian government agencies, tricking recipients into opening password-protected ZIP attachments containing batch files.

These initial vectors serve as entry points for a complex multi-stage infection process designed to bypass traditional security measures through sophisticated obfuscation techniques including steganography, base64 encoding, and multiple file drops.

Fortinet analysts identified this threat during recent investigations, revealing DCRAT’s comprehensive surveillance capabilities that extend far beyond typical malware functionality.

The RAT enables attackers to execute remote commands, manage files, monitor user activity, capture screenshots, perform keylogging operations, and download additional malicious payloads.

Its modular architecture allows threat actors to customize functionality based on specific objectives, making it particularly dangerous for targeted espionage campaigns.

Multi-Stage Payload Delivery and Steganographic Concealment

The infection mechanism demonstrates remarkable sophistication through its multi-layered obfuscation strategy.

Upon execution, the initial batch file retrieves a heavily obfuscated VBS script from Pastebin-like services, which subsequently executes PowerShell code containing embedded base64 variables.

This PowerShell script establishes connection to remote servers hosting image files that conceal the final executable payload through steganographic techniques.

The malware’s persistence mechanisms vary based on user privileges, creating scheduled tasks with administrative access or registry entries under HKCUSOFTWAREMicrosoftWindowsCurrentVersionRun for standard users.

DCRAT employs AES256 encryption to protect its configuration settings, utilizing hardcoded base64 keys to decrypt critical parameters including command-and-control server addresses (176.65.144.19:8848), mutex names (DcRatMutex_qwqdanchun), and operational flags.

To evade detection, DCRAT implements multiple anti-analysis features including AMSI bypass techniques that patch the AmsiScanBuffer function in memory, preventing Windows Antimalware Scan Interface from detecting malicious code execution.

The malware also queries Win32_CacheMemory devices to identify virtual machine environments, terminating execution if sandbox conditions are detected.

The RAT maintains system activity by preventing sleep mode through SetThreadExecutionState calls with flag value 0x80000003, ensuring continuous operation while establishing persistent communication channels with its command-and-control infrastructure.

This comprehensive approach to system manipulation and evasion demonstrates the evolving sophistication of modern RAT campaigns targeting critical infrastructure and government entities.

Investigate live malware behavior, trace every step of an attack, and make faster, smarter security decisions -> Try ANY.RUN now