The Governmental Computer Emergency Response Team of Ukraine (CERT-UA) is warning of a malware campaign targeting Ukrainian telecommunications operators with the DarkCrystal RAT.
The malspam messages have the topic “Free primary legal aid” use a password-protected attachment “Algorithm of actions of members of the family of a missing serviceman LegalAid.rar.”
The RAR archive analyzed by the Ukrainian CERT-UA contains the document “Algorithm_LegalAid.xlsm.” Upon opening the document and enabling the macro, a PowerShell command will be executed. The script will download and run the .NET bootloader “MSCommondll.exe,” which in turn will download and run the malware DarkCrystal RAT.