Affected Platforms: Microsoft Windows
Impacted Users: Microsoft Windows
Impact: Control and collect victim’s sensitive information from the victim’s device
Prevalence: Columbia targeted
Severity Level: High

The FortiMail IR team recently uncovered a new email attack distributing a Remote Access Trojan called DCRAT. The threat actor is impersonating a Colombian government entity to target organizations in Colombia. The threat actor uses multiple techniques, such as a password protected archive, obfuscation, steganography, base64 encoding, and multiple file drops, to evade detection.

Key features of DCRAT:

1. Modular Architecture
DCRAT is designed with a modular structure, allowing attackers to add or remove plugins. This lets them tailor the RAT’s behavior to specific tasks like data theft, surveillance, or persistence.

2. Comprehensive Surveillance Capabilities
The RAT allows remote control over infected systems. Attackers can execute commands, manage files, monitor user activity, and even download or run additional malicious payloads.

3. Information Theft
It can steal sensitive information such as credentials, documents, browser data, and personal files. It also supports screenshot capture and keylogging to record user input.

4. System Manipulation
DCRAT can alter system settings — rebooting, shutting down, logging off users, or creating new accounts. It can also change visual elements like wallpapers and taskbar visibility.

5. File and Process Management
The malware supports creating, deleting, renaming, or moving files and folders. It can run or terminate processes and upload/download files to or from the victim’s system.

6. Browser and Credential Harvesting
It specifically targets browsers to extract stored data such as cookies, browsing history, and saved login credentials. It can also open websites and perform actions in the user’s browser.

The threat actor sends an email impersonating a Colombian government entity to trick the user to run the attachment contents while having the recipient in the BCC field:

Figure 1: Phishing email used in this campaign

Figure 2: Zip attachment .bat file

Figure 4: Deobfuscated vbs file

Figure 5: Obfuscated script

Figure 6: Deobfuscated script

Figure 8: The RAT exe file

Figure 9: Main function calls

Figure 10: Decrypting settings

Figure 11: Hardcoded AES256 key

Variables revealed after the decryption:

Ports – 8848
Hosts - 176.]65.]144.]19
Version – 1.0.7
Install – false
MTX – DcRatMutex_qwqdanchun
Pastebin – null
Anti – false
Anti_Process – false
BS_OD – false
Group – AU
HWID – This takes the properties of the machine, concatenates them, converts that into an MD5 hash, and then converts that hash into a hexadecimal string. It then takes the first 20 characters and converts them into upper case.

Server signature –

Server certificate -

After initializing those settings, it runs VerifyHash, which checks if the signature is valid for that hash and public key.

Figure 12: VerifyHash determining signature validity

Figure 13: Anti analysis function

This runs a query that selects everything from Win32_CacheMemory and iterates through each one. Win32_CacheMemory provides info about cache memory devices. If there are none, it could indicate the presence of a VM.

Following the next call, it creates a mutex with the mutex name previously decrypted and saved into MTX. (DcRatMutex_qwqdanchun)

Figure 14: CreateMutex function

Figures 15-17: Checking for and terminating processes

Figures 15-17: Checking for and terminating processes

Figures 15-17: Checking for and terminating processes

Figure 18: Triggering a “blue screen of death”

Figures 19-20: Processing code to retrieve properties of the Install_Folder variable

Figures 19-20: Processing code to retrieve properties of the Install_Folder variable

This code block uses FileInfo to retrieve properties of the Install_Folder variable, which in this case points to the AppData\Roaming directory. It then obtains the full file path of the currently running malware and compares it to the Install_Folder path. If the paths do not match, it iterates through all running processes and terminates any that are executing from the Install_Folder location.

If the user has administrative privileges, the malware spawns a hidden cmd process to execute a base64-decoded command string:

/c schtasks /create /f /sc onlogon /rl highest /tn

It then appends parameters to register the malware binary as a scheduled task for persistence. The final command executed is:

/c schtasks /create /f /sc onlogon /rl highest /tn "TASK NAME" /tr "\"FULL PATH OF THE EXECUTABLE\"" & exit

If the user lacks administrative privileges, the malware instead creates a registry entry under:

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\

The entry uses the malware’s filename and path to ensure it is executed at user logon.

After completing the previous steps, the malware checks whether the file still exists at the path specified by FullName (i.e., the full path of the currently running executable) and pauses execution for one second. It then creates a new file in the AppData\Roaming directory and copies the current executable into that location.

Next, it generates a .bat file in the AppData\Local\Temp directory containing a script designed to execute the dropped file and then delete itself. The contents of the batch file are as follows:

@echo off
timeout 3 > NUL
START "" "DROPPED FILE LOCATION"
CD xxx\AppData\Local\Temp\
DEL "BAT FILE NAME" /he flags:

This function instructs Windows to keep the display on and prevent the system from entering sleep mode, maintaining this state continuously until explicitly reset.

Figure 21: Preventing the system from sleeping

Combined, these flags ensure that the system remains active and the screen remains on without interruption.

The RAT then checks to see if the user is an admin. If so, it runs the CleanSetting function:

Figure 22: Running the CleanSetting function

This function performs the following:

• Deletes the windir key if it exists under HKEY_CURRENT_USER\Environment - the value for this key points to the root of the Windows directory.
• Deletes the mscfile subkey under HKEY_CURRENT_USER\Software\Classes which controls the file association for .msc files (for example services.msc) and deleting this prevents users from opening critical administrative tools.
• Deletes the ms-settings subkey under HKEY_CURRENT_USER\Software\Classes which is a URI protocol used to open the Windows Settings app from links.
  Removing this can break links to Settings (for example: ms-settings:sound from the Run window)

The RAT then calls for the Amsi.Bypass function

Figure 23: Calling for the Amsi.Bypass function

The function receives two base64-encoded strings and determines whether the current process is running in 32-bit or 64-bit mode. It then passes this architecture-specific value as a byte to the PatchA function.

Inside PatchA, the function decodes two base64 strings: "amsi.dll" and "AmsiScanBuffer". AmsiScanBuffer is a function provided by the Windows Antimalware Scan Interface (AMSI), available in Windows 10 and later. AMSI allows applications to pass memory buffers to the system’s antivirus engine for scanning.

The function proceeds to load amsi.dll into memory and retrieves the address of the AmsiScanBuffer function. It then attempts to inject a patch into this memory location, with the goal of sabotaging or disabling AMSI’s ability to detect malicious code.

Finally, the RAT enters an infinite loop, continuously attempting to connect to its command-and-control (C2) server. In this case, the C2 address was hardcoded, as noted earlier. However, the RAT also supports retrieving the C2 address dynamically from a remote URL stored in the Paste_bin variable.

Figure 24: RAT entering an infinite loop

Summary

The attacker sends a phishing email impersonating a Colombian government agency to deceive the user into executing a malicious file. To evade detection, the attack chain employs multiple obfuscation techniques, including steganography and multi-stage payloads.

When the file is run, it downloads an obfuscated VBS script from a text-sharing site. This script, in turn, executes obfuscated PowerShell code that retrieves a second link from another sharing site. It then extracts and invokes a .NET library embedded within an image file using steganography to deliver and execute the final payload.

The impact of such an attack is severe: giving a threat actor direct access to a victim’s machine can result in the theft of sensitive data, system compromise, and significant operational or financial damage.

Fortinet Protections

FortiMail dynamically detects the email, the BAT file, and the VBS file as malware. FortMail also detects the files statically based on the system’s advanced threat engines and previous threat intelligence research.

The malware described in this report is detected and blocked by FortiGuard Antivirus as:

MSIL/Agent.CFQ!tr

FortiGate, FortiMail, FortiClient, and FortiEDR support the FortiGuard AntiVirus service. The FortiGuard AntiVirus engine is part of each of these solutions. As a result, customers who have these products with up-to-date protections are protected.

The FortiGuard CDR (Content Disarm and Reconstruction) service, which runs on both FortiGate and FortiMail, can disarm the malicious macros in the document.

We also suggest that organizations go through Fortinet’s free NSE training module: FCF Fortinet Certified Fundamentals. This module is designed to help end users learn how to identify and protect themselves from phishing attacks.

FortiGuard IP Reputation and Anti-Botnet Security Service proactively block these attacks by aggregating malicious source IP data from the Fortinet distributed network of threat sensors, CERTs, MITRE, cooperative competitors, and other global sources that collaborate to provide up-to-date threat intelligence about hostile sources.

If you believe this or any other cybersecurity threat has impacted your organization, please contact our Global FortiGuard Incident Response Team.

IOCs

URLs:

hxxp[:]//paste[.]ee/d/jYHEqBJ3/0
hxxps[:]//paste[.]ee/d/oAqRiS3g
hxxps[:]//ia601205[.]us[.]archive[.]org/26/items/new_image_20250430/new_image[.]jpg

Relevant SHA-256: