CERT-UA Warns: Dark Crystal RAT Targets Ukrainian Defense via Malicious Signal Messages

Avatar
The Computer Emergency Response Team of Ukraine (CERT-UA) is warning of a new campaign that targets the defense sectors with Dark Crystal RAT (aka DCRat). The campaign, detected earlier this month, has been found to target both employees of enterprises of the defense-industrial complex and individual representatives of the Defense Forces of Ukraine. The activity involves

The Computer Emergency Response Team of Ukraine (CERT-UA) is warning of a new campaign that targets the defense sectors with Dark Crystal RAT (aka DCRat).

The campaign, detected earlier this month, has been found to target both employees of enterprises of the defense-industrial complex and individual representatives of the Defense Forces of Ukraine.

The activity involves distributing malicious messages via the Signal messaging app that contain supposed meeting minutes. Some of these messages are sent from previously compromised Signal accounts so as to increase the likelihood of success of the attacks.

The reports are shared in the form of archive files, which contain a decoy PDF and an executable, a .NET-based evasive crypter named DarkTortilla that decrypts and launches the DCRat malware.

DCRat, a well-documented remote access trojan (RAT), facilitates the execution of arbitrary commands, steals valuable information, and establishes remote control over infected devices.

CERT-UA has attributed the activity to a threat cluster it tracks as UAC-0200, which is known to be active since at least summer 2024.

“The use of popular messengers, both on mobile devices and on computers, significantly expands the attack surface, including due to the creation of uncontrolled (in the context of protection) information exchange channels,” the agency added.

The development follows Signal’s alleged decision to stop responding to requests from Ukrainian law enforcement regarding Russian cyber threats, according to The Record.

“With its inaction, Signal is helping Russians gather information, target our soldiers, and compromise government officials,” Serhii Demediuk, the deputy secretary of Ukraine’s National Security and Defense Council, said.

Signal CEO Meredith Whittaker, however, has refuted the claim, stating “we don’t officially work with any gov, Ukraine or otherwise, and we never stopped. We’re not sure where this came from or why.”

It also comes in the wake of reports from Microsoft and Google that Russian cyber actors are increasingly focusing on gaining unauthorized access to WhatsApp and Signal accounts by taking advantage of the device linking feature, as Ukrainians have turned to Signal as an alternative to Telegram.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

 The Hacker News 

Total
0
Shares
Previous Post

Half a million people impacted by Pennsylvania State Education Association data breach

Next Post

CISA Adds NAKIVO Vulnerability to KEV Catalog Amid Active Exploitation

Related Posts

10 Critical Network Pentest Findings IT Teams Overlook

After conducting over 10,000 automated internal network penetration tests last year, vPenTest has uncovered a troubling reality that many businesses still have critical security gaps that attackers can easily exploit. Organizations often assume that firewalls, endpoint protection, and SIEMs are enough to keep them secure. But how effective are these defenses when put to the test? That’s where
Avatar
Read More

Malvertising Scam Uses Fake Google Ads to Hijack Microsoft Advertising Accounts

Cybersecurity researchers have discovered a malvertising campaign that's targeting Microsoft advertisers with bogus Google ads that aim to take them to phishing pages that are capable of harvesting their credentials. "These malicious ads, appearing on Google Search, are designed to steal the login information of users trying to access Microsoft's advertising platform," Jérôme Segura, senior
Avatar
Read More