Threat Database Trojans PowerShell RAT

PowerShell RAT

Cybersecurity researchers have identified a new RAT (Remote Access Threat) that cybercriminals have leveraged against targets in Germany. The Trojan is being tracked as the PowerShell RAT, and it is being deployed via corrupted websites using the war in Ukraine as a lure.

The PowerShell RAT is equipped with the typical functionality expected of threats of this type. Once deployed on the targeted systems, it begins to collect relevant device data. As its name suggests, the primary functions of the threat revolve around executing PowerShell script commands. In addition, the threat actors can exfiltrate chosen files from the breached system or deploy additional payloads on it. This allows the attackers to expand their capabilities within the system, depending on their goals. They can download and execute additional Trojans, ransomware threats, crypto-miners, etc.

The lure website spreading the PowerShell RAT is designed to closely resemble the Baden-Württemberg German state website. The threat actors even used a domain - collaboration-bw(dot)de, that has previously been associated with the official site. On the fake page, users would be presented with accurate information about the events concerning the war in Ukraine. The site will try to convince its visitors to download a file named '2022-Q2-Bedrohungslage-Ukraine.chm.txt.' Once opened, the file will display a fake error message about a supposed issue, while a compromised script will be executed in the background silently. The script will initiate the PowerShell RAT's infection chain.


Most Viewed