The Gophish phishing framework is being utilized by threat actors in phishing campaigns to deliver Remote Access Trojans (RATs). This framework provides attackers with a platform to easily create and launch convincing phishing emails that lure unsuspecting victims into providing credentials or clicking malicious links. The RATs are often disguised as legitimate applications or files, and once installed on the victim’s device, they grant the attacker remote access to the compromised system, enabling them to steal data, install malware, or carry out other malicious activities.
A new phishing campaign discovered by Cisco Talos utilizes the open-source Gophish toolkit to distribute malware. This campaign leverages modular infection chains, either Maldoc or HTML-based, that require user interaction to activate. This attack delivers a previously undocumented PowerShell RAT, dubbed PowerRAT, along with the infamous Remote Access Tool (RAT) DCRAT. This indicates the threat actors are actively developing their tools and targeting Russian-speaking users. The attack uses malicious Microsoft Word documents and HTML files containing malicious JavaScript as initial infection vectors. These vectors lead to the download and activation of either PowerRAT or DCRAT based on the initial vector, with the attacker-controlled hosting domains disk-yanbex[.]ru and e-connection[.]ru delivering the payloads. The campaign is highly concerning due to its use of a readily available toolkit and the potential for further development and refinement of the PowerRAT malware. It highlights the importance of maintaining strong cybersecurity practices to protect against phishing attacks and the need for vigilance against emerging threats.