FortiGuard Labs发现一起针对Microsoft Windows用户的钓鱼攻击活动。攻击者通过伪装成语音信箱或采购订单等主题的邮件发送恶意链接,诱导用户下载JavaScript文件以部署UpCrypter恶意软件。该软件进一步释放PureHVNC、DCRat和Babylon RAT等远程访问木马(RATs),实现对目标系统的完全控制。 2025-8-25 13:0:0 Author: feeds.fortinet.com(查看原文) 阅读量:34 收藏
Affected Platforms: Microsoft Windows
Impacted Users: Microsoft Windows
Impact: The stolen information can be used for future attacks
Severity Level: High
FortiGuard Labs recently identified a phishing campaign leveraging carefully crafted emails to deliver malicious URLs linked to convincing phishing pages. These pages are designed to entice recipients into downloading JavaScript files that act as droppers for UpCrypter, malware that ultimately deploys various remote access tools (RATs).
The attack chain begins with a small, obfuscated script that redirects victims to a spoofed site personalized with the target’s email domain, enhancing credibility. In this blog post, we’ll describe an infection chain using different methods to lure the victim and successfully deliver several RATs, including PureHVNC, DCRat, and Babylon RAT.
Phishing
The campaign includes different topics for variants of this phishing email. One variant of the campaign uses a voicemail-themed lure with the subject line “Missed Phone Call – <Date>” and an attachment named “VN0001210000200.html.” In the HTML file, the script sets the target user’s email in a Base64 string, reconstructs a link by XORing a set of small string chunks with 0x15 and then applying “atob,” and yields the prefix hxxps://www[.]tridevresins[.]com/_b#. It then appends the email value and assigns the result to “window.location.href” after 413 milliseconds. This sample also includes an anti-automation that aborts when “window.outerWidth” equals zero, as well as mild string splitting to disguise its action.
Figure 2: Phishing mail with voicemail message
Figure 3: HTML file in attachment
Figure 4: Phishing webpage
Another variant poses as a purchase order and arrives with an attachment named “採購訂單.html.” The script inside concatenates several short Base64 fragments into a single string, decodes it into the URL prefix hxxps://maltashopping24[.]com/t#, then decodes the victim’s Base64-encoded email address into cleartext. It also appends this plaintext email to the URL fragment and, after a delay of 127 milliseconds, redirects the browser to the constructed address.
Figure 5: Phishing mail with order request
Figure 6: HTML file in attachment
Figure 7: Phishing webpage
The lure page is designed to appear convincing by not only displaying the victim’s domain string in its banner but also fetching and embedding the domain’s logo within the page content to reinforce authenticity. Its primary purpose is to deliver a malicious download.
It first suppresses error messages by assigning a no-op function to “_0x4eadd5.onerror.” If the page failed to parse a victim email earlier, it shows “Email not found. Redirecting…” and sends the user to Bing to look benign. The downloadFile() handler runs only when userEmail exists. It disables the “Download” button, shows a full-screen loader, and builds a plain HTML form that POSTs to “hxxps://brokaflex[.]com/tw/w.php” with the victim’s email address. It then submits the form, causing the delivery of a ZIP archive, and updates the interface to show the message “Your document has been downloaded. Please open it for review…” urging the user to open the file immediately.
Figure 8: Code in phishing webpage for downloading UpCrypter
Although the two phishing mail attachments use slightly different obfuscation, their operational goal is the same: deliver victims to a phishing page that is already personalized with their email, tag them for tracking, and use fragment-based parameter passing to keep the identifier out of network logs.
UpCrypter – JavaScript
The downloaded ZIP archive contains a heavily obfuscated JavaScript file padded with large amounts of junk code to conceal the malicious code. The encoded payload is split into two variables, “bfHJJ” and “lyoSU.” It grabs the current script’s full path with WScript.ScriptFullName and creates a Shell.Application object, then sets “gjxkd” to “powershell.” It then constructs a Base64 command in “PwBSs,” which was built earlier from “bfHJJ” and lyoSU.” Finally, it calls ShellExecute to run PowerShell with “-ExecutionPolicy bypass” and the decoded command using a window style of 0. This stealthy execution flow allows the malware to load and run the next stage without showing any visible console or alert.
Figure 9: The split encoded payload in two variables
Figure 10: PowerShell command
The main Base64-encoded payload “PwBSs” in PowerShell is responsible for network verification, anti-analysis checking, and preparing for loader execution. It sends a ping to “www.google.com” to confirm connectivity. If this fails, it then restarts the computer. It then scans the running processes for forensic tools, debuggers, or sandbox environments, including “handle,” “autorunsc,” “Dbgview,” “tcpvcon,” “any.run,” “any.run,” “sandbox,” “tcpview,” “OLLYDBG,” “ImmunityDebugger,” “Wireshark,” “apateDNS,” and “analyze.” If any are found, it forces a system restart.
Once all the checks pass, it downloads the next stage payload from the remote server “hxxps://andrefelipedonascime1753562407700.0461178[.]meusitehostgator[.]com.br/sPVbqMbKYr_06/03.txt.” It then dissects the data after string “%x%,” gets the char code data, and decodes it into the raw MSIL loader. This loader is then executed directly in memory through .NET reflection by invoking “[System.Reflection.Assembly]::Load($fkfqj).”
Once loaded, the code locates its entry point using “GetType("ClassLibrary3.Class1").GetMethod("prFVI").Invoke,” supplying parameters that include a Base64-encoded string beginning with %base64% which, when decoded, yields an additional remote server address. This address is used to retrieve the final payload, allowing the attacker to seamlessly deliver the intended malware into the compromised environment without writing the loader itself to disk.
Figure 11: UpCrypter's JavaScript
In our collected data, the loader data retrieved from “andrefelipedonascime1753562407700.0461178[.]meusitehostgator[.]com.br” comes in two formats: one is delivered as plain text, and the other is embedded within an image file using a form of steganography. This dual-format delivery increases the chances of evading static detection.
Figure 12: Data in plain text
Figure 13: Data embedded in JPG file
UpCrypter – MSIL loader
The malware first checks for the existence of a nested working directory at “%AppData%..\LocalLow\Windows System (x86)\Program Rules\Program Rules NVIDEO\Program Rules\Program Rules NVIDEO.” If the directory is not present, the loader creates the full path and pauses briefly between attempts until it exists. This guarantees a writable and persistent location under the attacker’s chosen folder for the following operations.
Figure 14: Entry point of MSIL loader
1. Anti-VM: Checks for process name for “vmtoolsd,” “vboxservice,” “Vmwareuser,” “Vmwaretrat,” “Hyper-V,” “prl_cc,” “joeboxserver,” “vboxservice,” “mksSandbox.” And it also checks the directory with “C:\Windows\System32\SbieDll.dll,” “C:\Windows\System32\vmhgfs.dll,” “C:\Program Files\Oracle\VirtualBox Guest Additions” and the registry with “SOFTWARE\Sandboxie.”
2. Anti-Analysis: It first reads the registry “HKEY_LOCAL_MACHINE\\HARDWARE\\DESCRIPTION\\System\\BIOS” to obtain BaseBoardManufacturer and BaseBoardProduct. It also enumerates all processes, fetches the active window title, and applies case-insensitive substring checks. If ProcessName contains “avast,” “avg,” or “MBAMService,” it stops scanning and exits. For the remaining entries, it skips deeper checks when the name contains “mksSandbox” and “python.” It immediately kills a process if the window title contains “Program Rules NVIDEO.” It also checks if the names include “apateDNS,” “sandbox,” “Wireshark,” “any.run,” “anyrun,” “analyze,” “analysis,” “tcpvcon,” or exact ProcessName “handle,” “autorunsc,” “dbgview,” or when the earlier BIOS fields were blank, then writes the marker file “detect_analisse_process.txt”, deletes staged artifacts, cleans working folders, forces a restart, and exits, with the overall goal of cutting analyst sessions and minimizing traces.
3. Data download: It sets the hard-coded header “User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; WOW64; Trident/4.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.5.21022; .NET CLR 3.5.30729; .NET CLR 3.0.30618; InfoPath.2; OfficeLiveConnector.1.3; OfficeLivePatch.0.0)” to mimic an outdated Internet Explorer client. Using this header, it retrieves files “01.txt,” “02.txt” from the remote address “andrefelipedonascime1753562407700.0461178[.]meusitehostgator[.]com.br,” and a payload from “ktc2005[.]com/bu[.]txt.”
Figure 15: Downloaded data
4. Decoding data: The file “02.txt” is Base64-decoded into a PowerShell script that contains logic to embed the DLL loader data from “01.txt” (ClassLibrary1.dll). The script integrates the DLL’s data directly, replacing placeholders with live values and referencing it for in-memory execution. The PowerShell script also directly embeds the payload “bu[.]txt.” This approach enables the malware to execute the final stage without writing the payload to disk, maintaining stealth and minimizing forensic artifacts.
Figure 16: Decoded PowerShell from "02.txt"
Figure 17: Embedding data into the PowerShell script
Figure 18: Decoded DLL from "01.txt"
5. Persistence and launch: It adds the complete PowerShell execution into the registry “HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run.” It then leverages WinExec to launch the attack.
Figure 19: Persistence setting
Figure 20: PowerShell execution
Although the strings and method names are obfuscated, the overall execution flow and the DLL name clearly point to UpCrypter, a tool developed by Pjoao1578, who continues to update and publicly demonstrate its capabilities on YouTube.
In this campaign, UpCrypter is used as the central loader framework to stage and deploy multiple remote access tools. The observed payloads include PureHVNC, DCRat, and Babylon RAT. Each enables full remote control of compromised systems. This combination of an actively maintained loader, layered obfuscation, and diverse RAT delivery demonstrates an adaptable threat delivery ecosystem capable of bypassing defenses and maintaining persistence across different environments.
Conclusion
Attackers can now easily make phishing emails and fake websites using ready-made tools found online. These tools let them build a complete system to spread malware, not just deliver simple scams. Our telemetry indicates that this campaign is not limited to one region. Instead, it is operating on a truly global scale. In just two weeks, the detection count has more than doubled, reflecting a rapid and aggressive growth pattern. The impact is felt across multiple sectors, with manufacturing, technology, healthcare, construction, and retail/hospitality among the most affected industries. This is not just about stealing email logins, but is a complete attack process that can secretly install a malicious payload inside a company’s network. Once inside, attackers can keep control of the systems for an extended period. Users and organizations should take this threat seriously, use strong email filters, and make sure staff are trained to recognize and avoid these types of attacks.
Fortinet Protections
The malware described in this report is detected and blocked by FortiGuard Antivirus as:
HTML/Agent.PIY!tr
JS/Redirector.PIY!tr
JS/Agent.SYK!tr
MSIL/Agent.SBA!tr.dldr
MSIL/Injector.LJM!tr
FortiGate, FortiMail, FortiClient, and FortiEDR support the FortiGuard AntiVirus service. The FortiGuard AntiVirus engine is part of each of these solutions. As a result, customers who have these products with up-to-date protections are protected.
We also suggest that organizations consider completing Fortinet’s free training module, Fortinet Certified Fundamentals (FCF) in Cybersecurity. This module is designed to help end users learn how to identify and protect themselves from phishing attacks.
FortiGuard IP Reputation and Anti-Botnet Security Service proactively block these attacks by aggregating malicious source IP data from the Fortinet distributed network of threat sensors, CERTs, MITRE, cooperative competitors, and other global sources that collaborate to provide up-to-date threat intelligence about hostile sources.
If you believe this or any other cybersecurity threat has impacted your organization, please contact our Global FortiGuard Incident Response Team.
IOCs
Domain
maltashopping24[.]com
www[.]tridevresins[.]com
andrefelipedonascime1753562407700.0461178[.]meusitehostgator[.]com.br
capitalestates[.]es
webdot.ddns[.]net
xtadts.ddns[.]net
afxwd.ddns[.]net
hacvietsherwin[.]com
samsunbilgisayartamiri[.]com
adanaaysuntemizlik[.]com
URL
power-builders[.]net/vn/v.php
manitouturkiye[.]com/cz/z.php
brokaflex[.]com/tw/w.php
ktc2005[.]com/bu[.]txt
HTML
4b03950d0ace9559841a80367f66c1cd84ce452d774d65c8ab628495d403ad0f
c7b6205c411a5c0fde873085f924f6270d49d103f57e7e7ceb3deb255f3e6598
JavaScript
a5fe77344a239af14c87336c65e75e59b69a59f3420bd049da8e8fd0447af235
c0bfa10d2739acd6ee11b8a2e2cc19263e18db0bbcab929a133eaaf1a31dc9a5
DLL
f2633ef3030c28238727892d1f2fcb669d23a803e035a5c37fd8b07dce442f17
7e832ab8f15d826324a429ba01e49b452ffc163ca4af8712a6b173f40c919b43
如有侵权请联系:admin#unsafe.sh