In a sophisticated cyberattack, hackers have begun using virtual hard disk image files (.vhd) to distribute the VenomRAT malware, evading traditional security measures.
This approach involves sending phishing emails with attachments that, when opened, mount as a virtual hard drive on the victim’s system.
The .vhd file contains a heavily obfuscated batch script that executes malicious activities using PowerShell, ultimately sending sensitive data to command and control (C2) servers.
The VenomRAT Campaign
The VenomRAT campaign typically starts with a phishing email that uses a purchase order as bait to convince users to open the attachment.
Once extracted, the attachment reveals a .vhd file, which mounts itself as a hard disk drive.
Inside this virtual drive is a batch file that is heavily obfuscated with garbage characters, Base64, and AES encryption.
Upon execution, the batch file spawns a PowerShell script that drops files into the Startup folder to achieve persistence.
It also exploits Pastebin.com to host its C2 server, where exfiltrated data is stored.
VenomRAT is a remote access Trojan (RAT) that allows attackers to gain unauthorized access and control over targeted systems.
According to the Report, it is a modified version of the Quasar RAT and has been used in various campaigns since 2020.
VenomRAT enables attackers to execute malicious activities remotely without the victim’s knowledge or consent.
The use of .vhd files as a delivery mechanism highlights the evolving tactics of threat actors to bypass security systems and remain undetected.
Protection and Prevention
To protect against such threats, it is crucial to implement robust security measures.
This includes regularly updating digital assets with the latest security patches, using multi-factor authentication, and maintaining advanced antivirus software.
Implementing robust email security protocols can also help block phishing attempts and verify the authenticity of unfamiliar links or attachments.
Companies like Forcepoint offer protection against VenomRAT by identifying and blocking malicious attachments, blocking URLs that download further payloads, and categorizing C2 servers under security categories.
 to distribute the VenomRAT malware.){kind=link}