A fileless attack campaign that is leveraging a new crypter to propagate Remote Access Trojans (RATs). The RATs include BitRat, NjRat, LimeRat, Warzone, QuasarRat, and Nanocore RAT.

The attackers hosted phishing kits in infected WordPress websites. The malware was hosted in file hosting services.The malicious file is an ISO image disseminated via either the websites or phishing emails. An obfuscated PowerShell script carries the payloads and infuses them into the assigned processes.

Water Basilisk leverages HCrypt version 7.8, a crypter-as-a-service, which is for sale on underground markets for $199. HCrypt is used to build obfuscated PowerShell and VBScripts to deploy the final payloads.This latest version of the crypter features encryption updates for PDF phishing payloads, BTC stealers, JS and VBS payloads, and Windows 10 Defender disabling.

HCrypt can be used to propagate malware, as displayed by this campaign. HCrypt is undergoing active development, researchers expect more versions of it to pop up, which would be able to distribute more RAT strains. It is also anticipated that the obfuscation algorithm will be updated to evade detection.

As phishing emails are still the most common attack vector, organizations should stay vigilant and train employees on cybersecurity hygiene.