A recent cyber-espionage campaign has been identified, targeting Ukraine's defense sector with a sophisticated malware known as Dark Crystal RAT (DCRat). The attack, highlighted by Ukraine's Computer Emergency Response Team (CERT-UA), involves the deployment of this remote access Trojan to infiltrate sensitive defense-related organizations.

Understanding Dark Crystal RAT

DCRat, developed by a Russian programmer, is a remote access Trojan written in C#. Although it is popular among novice hackers, its advanced features, such as custom plug-ins and a modular framework, make it a formidable tool for more experienced cybercriminals.

Targeted Campaign Details

The latest wave of attacks, detected earlier this month, specifically targets employees within Ukraine's defense-industrial sector and members of the Defense Forces. CERT-UA has linked these activities to a threat group identified as UAC-0200.

  • Method of Attack: Malicious messages are distributed via the secure messaging app Signal.
  • Payload Delivery: Messages include archive files with a decoy PDF and an executable named "Dark Tortilla," which decrypts and executes DCRat.

Impact and Response

Once deployed, DCRat enables attackers to execute arbitrary commands, exfiltrate data, and gain remote control over compromised systems. Ukrainian authorities have urged Signal to address these threats, but have reported a lack of response.

Official Statements

Serhii Demediuk, deputy secretary of Ukraine's National Security and Defense Council, criticized Signal for its inaction, suggesting it aids Russian efforts to compromise Ukrainian targets. However, Signal's CEO, Meredith Whittaker, refuted these claims, asserting on Mastodon that Signal does not collaborate with any government.

The link has been copied!