Cybersecurity researchers have uncovered an intricate multi-stage attack that leverages invoice-themed phishing decoys to supply a large variety of malware this kind of as Venom RAT, Remcos RAT, XWorm, NanoCore RAT, and a stealer that targets crypto wallets.
The email messages arrive with Scalable Vector Graphics (SVG) file attachments that, when clicked, activate the an infection sequence, Fortinet FortiGuard Labs said in a complex report.
The modus operandi is noteworthy for the use of the BatCloak malware obfuscation motor and ScrubCrypt to deliver the malware in the form of obfuscated batch scripts.
BatCloak, presented for sale to other danger actors considering that late 2022, has its foundations in an additional tool termed Jlaive. Its major characteristic is to load a subsequent-phase payload in a way that circumvents traditional detection mechanisms.
ScrubCrypt, a crypter that was initial documented by Fortinet in March 2023 in connection with a cryptojacking campaign orchestrated by the 8220 Gang, is assessed to be a single of the iterations of BatCloak, in accordance to analysis from Development Micro very last calendar year.
In the most up-to-date campaign analyzed by the cybersecurity agency, the SVG file serves as a conduit to fall a ZIP archive that incorporates a batch script likely produced using BatCloak, which then unpacks the ScrubCrypt batch file to finally execute Venom RAT, but not in advance of placing up persistence on the host and using steps to bypass AMSI and ETW protections.
A fork of Quasar RAT, Venom RAT permits attackers to seize control of the compromised programs, acquire sensitive info, and execute instructions obtained from a command-and-management (C2) server.
“Although Venom RAT’s most important plan could show up simple, it maintains communication channels with the C2 server to obtain more plugins for several things to do,” security researcher Cara Lin said. This consists of Venom RAT v6..3 with keylogger abilities, NanoCore RAT, XWorm, and Remcos RAT.
“This [Remcos RAT] plugin was distributed from VenomRAT’s C2 working with a few approaches: an obfuscated VBS script named ‘remcos.vbs,’ ScrubCrypt, and Guloader PowerShell,” Lin included.
Also sent working with the plugin program is a stealer that gathers info about the process and exfiltrates info from folders linked with wallets and apps like Atomic Wallet, Electrum, Ethereum, Exodus, Jaxx Liberty (retired as of March 2023), Zcash, Foxmail, and Telegram to a distant server.
“This examination reveals a advanced attack leveraging multiple levels of obfuscation and evasion techniques to distribute and execute VenomRAT by way of ScrubCrypt,” Lin stated.
“The attackers use a wide range of approaches, which include phishing emails with destructive attachments, obfuscated script documents, and Guloader PowerShell, to infiltrate and compromise victim techniques. On top of that, deploying plugins by distinctive payloads highlights the versatility and adaptability of the attack campaign.”
Located this report appealing? Adhere to us on Twitter and LinkedIn to read through extra distinctive written content we write-up.
Some parts of this article are sourced from:
thehackernews.com