Cybersecurity researchers have found an intricate multi-stage assault that leverages invoice-themed phishing decoys to ship a variety of malware similar to Venom RAT, Remcos RAT, XWorm, NanoCore RAT, and a stealer that targets crypto wallets.
The e-mail messages include Scalable Vector Graphics (SVG) file attachments that, when clicked, activate the an infection sequence, Fortinet FortiGuard Labs stated in a technical report.
The modus operandi is notable for the usage of the BatCloak malware obfuscation engine and ScrubCrypt to ship the malware within the type of obfuscated batch scripts.
BatCloak, supplied on the market to different menace actors since late 2022, has its foundations in one other instrument known as Jlaive. Its major function is to load a next-stage payload in a way that circumvents conventional detection mechanisms.
ScrubCrypt, a crypter that was first documented by Fortinet in March 2023 in reference to a cryptojacking marketing campaign orchestrated by the 8220 Gang, is assessed to be one of many iterations of BatCloak, in keeping with analysis from Pattern Micro final 12 months.
Within the newest marketing campaign analyzed by the cybersecurity agency, the SVG file serves as a conduit to drop a ZIP archive that accommodates a batch script possible created utilizing BatCloak, which then unpacks the ScrubCrypt batch file to in the end execute Venom RAT, however not earlier than organising persistence on the host and taking steps to bypass AMSI and ETW protections.
A fork of Quasar RAT, Venom RAT permits attackers to grab management of the compromised programs, collect delicate data, and execute instructions acquired from a command-and-control (C2) server.
“Whereas Venom RAT’s major program could seem simple, it maintains communication channels with the C2 server to amass extra plugins for numerous actions,” safety researcher Cara Lin stated. This consists of Venom RAT v6.0.3 with keylogger capabilities, NanoCore RAT, XWorm, and Remcos RAT.
“This [Remcos RAT] plugin was distributed from VenomRAT’s C2 utilizing three strategies: an obfuscated VBS script named ‘remcos.vbs,’ ScrubCrypt, and Guloader PowerShell,” Lin added.
Additionally delivered utilizing the plugin system is a stealer that gathers details about the system and exfiltrates knowledge from folders related to wallets and purposes like Atomic Pockets, Electrum, Ethereum, Exodus, Jaxx Liberty (retired as of March 2023), Zcash, Foxmail, and Telegram to a distant server.
“This evaluation reveals a complicated assault leveraging a number of layers of obfuscation and evasion methods to distribute and execute VenomRAT by way of ScrubCrypt,” Lin stated.
“The attackers make use of a wide range of strategies, together with phishing emails with malicious attachments, obfuscated script recordsdata, and Guloader PowerShell, to infiltrate and compromise sufferer programs. Moreover, deploying plugins by completely different payloads highlights the flexibility and adaptableness of the assault marketing campaign.”
