We Smell a (DC)Rat: Revealing a Sophisticated Malware Delivery Chain

April 2, 2025

Cyberthreats

The Acronis Threat Research Unit (TRU) was presented with an interesting threat chain and malware sample for analysis that involved a known cyberthreat along with some interesting twists in targeting and obfuscation.

In this article, we’ll dissect the complex malware delivery chain and tactics. The focus will be on a multi-stage infection process involving Visual Basic Script (VBS), a batch file, and a PowerShell script, ultimately leading to the deployment of high-profile malware like DCRat or Rhadamanthys infostealer.

Initial Infection: The Deceptive Email Attachment

The infection begins with a seemingly innocuous email. The message contains a RAR archive attachment, cleverly named “Citación por embargo de cuenta,” which translates to “Summons for account garnishment.”

This filename is designed to evoke immediate concern and prompt Spanish-speaking recipients to open the attachment. Once the RAR archive is extracted, it reveals a Visual Basic script (VBS) file.

When executed, this VBS file initiates a multistage delivery process, setting the stage for the deployment of the final malicious payload.

Attack chain

The Multi-Stage Delivery Process

The VBS file is heavily obfuscated, making it difficult for traditional security solutions to detect its malicious intent.

Obfuscated VBS

Upon execution, the VBS script generates a Windows batch file (BAT) and transfers control to it. This batch file is the next link in the chain, responsible for constructing a Base64 encoded string from environment variables.

This string represents a compact PowerShell script, which is then executed using the -command argument.

PowerShell command

The PowerShell script plays a crucial role in the delivery chain. It reads the last line of the batch file, removes marker bytes, and decodes the resulting payload.

Obfuscated PowerShell

The decoded payload is a Windows .NET executable, which is loaded into memory using a common malware technique known as RunPE, facilitated by a helper library.

The payload itself is packed using a custom .NET packer and is heavily obfuscated, containing two encrypted data blobs within its resource structure.

These data blobs can be decrypted using a byte-by-byte XOR operation with the key 0x78 — this process is also common in cryptography.

.NET assemblies

Risks and Evading Detection

The deployment of high-profile malware like DCRat or Rhadamanthys infostealer through this complex delivery chain poses significant risks.

The multi-stage process, involving multiple script languages and obfuscation techniques, can effectively bypass security solutions, leading to unauthorized access, data theft, and system compromise.

The complexity of the delivery chain introduces multiple layers of obfuscation, making it challenging for security solutions to detect and block the malware at each step.

However, the added complexity also introduces more points of failure, which can be exploited to break the chain and prevent the final payload from being executed.

Multilayered Security Solutions: A Comprehensive Defense

To combat such sophisticated threats, multilayered security solutions are essential. These solutions employ a variety of techniques at different stages of the infection process.

For instance, during the initial stages, they can detect and block malicious emails and attachments, preventing the execution of the Visual Basic script.

Advanced heuristics and behavior analysis can identify obfuscated scripts and suspicious activities, such as the creation of batch files and PowerShell scripts in user directories.

The Acronis Threat Research Unit analyzes threats like DCRat as a part of our ongoing research and development work to ensure that our security solutions — such as Acronis Advanced Security + Extended Detection and Response (XDR) — are prepared for emerging threats.

Acronis XDR leverages real-time protection and in-house-developed generic script emulators to de-obfuscate and analyze scripts, allowing for early detection and neutralization of threats. By monitoring and blocking the execution of encoded payloads in memory, these solutions can prevent the loading of final malware like DCRat, Rhadamanthys, or Remcos.

Key Findings, Insights and a 19th Century German Philosopher

The analysis of this malware delivery chain by the Acronis Threat Research Unit (TRU) has yielded several key findings. One notable, and perhaps unique, aspect of the analysis is the inclusion of philosophical quotes from Friedrich Nietzsche in the PowerShell script, likely used as a distraction.

As the files were de-obfuscated, the following famous quotations appeared as plain text:

"There is always some madness in love. But there is also always some reason in madness."
"In individuals, insanity is rare; but in groups, parties, nations, and epochs, it is the rule."
“In heaven, all the interesting people are missing.”

ReverseString function

After which, addition de-obfuscation was required to dig down to the malicious code.

This detail highlights the creativity and sophistication of modern malware authors. Despite these challenges, the Acronis TRU successfully detected and neutralized the components involved.

Acronis Threat Research Unit's detailed analysis of DCRat provides a comprehensive understanding of this new threat, including secure code samples and screenshots. For a deep dive into the methodology and code in this attack, you can access the complete technical write up here.

For more information on the Acronis Threat Research Unit or to follow the latest alerts and updates, access the research blog here.

Sponsored and written by Acronis.