Threat actors are leveraging the PureHVNC Remote Access Trojan (RAT) alongside highly targeted social engineering tactics, employing fake job offers and obfuscated PowerShell scripts to compromise user systems and evade modern security defenses.
Security researchers at Netskope Threat Labs have identified complex infection chains that utilize a blend of scripting languages and advanced persistence mechanisms to deliver PureHVNC, granting attackers stealthy, persistent access to victims’ devices.
Multi-Layer Infection Chain Targets Job Seekers
The infection process begins with phishing emails or malicious downloads, often masquerading as lucrative job offers from prominent fashion, perfume, and jewelry brands across various countries.
Victims are lured into executing an LNK file that deceptively appears as a PDF document, exploiting the common practice of appending multiple extensions to obscure file intent.
Once triggered, the LNK file silently executes a PowerShell command, which then decodes and runs a secondary, base64-encoded PowerShell script.
This script leverages the Windows Set-Clipboard and IEX (Invoke-Expression) cmdlets to pass and execute additional commands, ultimately launching mshta.exe to retrieve and execute a remote HTA (HTML Application) file.
The campaign demonstrates a sophisticated multi-layer approach, incorporating multiple programming and scripting languages JavaScript, AutoIt, and PowerShell throughout the infection chain.
Downloaded files are heavily obfuscated, often disguising malicious content as bulky MP4 files filled with junk data, within which the actual JavaScript payload is hidden.
The use of mshta.exe enables the threat actors to execute embedded scripts via HTML tags, employing eval() functions to decode and trigger subsequent payloads.
Attack Employs Advanced Obfuscation
At the core of the infection chain lies AutoIt, a legitimate automation scripting tool, which is used to further drop and execute additional obfuscated scripts.
The main AutoIt payload fetches and executes supplementary components, such as “Guard.exe” and associated AutoIt scripts, using a layered file-writing and execution technique.
Persistence is established by creating internet shortcut files in the Windows Startup directory, ensuring that crafted JavaScript and AutoIt binaries are automatically launched on system reboot.
The campaign also utilizes sophisticated anti-analysis and evasion tactics. The AutoIt scripts are obfuscated using tools like CypherIT and include multiple environmental checks to detect and avoid execution within antivirus sandboxes or on systems with specific security processes running.
For example, the script verifies if usernames or computer names match those commonly used in testing environments and checks for the presence of AV-related processes like Bitdefender’s “bdagent.exe” or Avast’s “avastui.exe,” altering its behavior or halting execution if detected.
A key technical highlight of the attack involves the use of process hollowing, a well-known but effective technique for code injection.
The malware creates a legitimate Windows process in a suspended state using either AppLaunch.exe or jsc.exe depending on the security software identified and injects a .NET payload into its address space.
Modification of the process’ parent-child relationship further complicates detection, as explorer.exe is set as the parent process, blending the malicious activity into normal system operations.
Once injected, the payload functions as a .NET loader, decrypting an embedded and obfuscated DLL using AES 256 in CBC mode and decompressing it via GZip.
This final payload is identified as PureHVNC RAT, a modular tool that offers attackers full remote access to the compromised system, file upload and download capabilities, and the potential to deploy additional malware at will.
The strategic use of multi-stage payload delivery, targeted social engineering, and layered obfuscation techniques make this PureHVNC campaign notably resilient against traditional endpoint defenses.
Its modular structure allows attackers to refine infection vectors and update payloads rapidly, complicating mitigation efforts for defenders.
Security researchers continue to monitor the evolution of PureHVNC’s Tactics, Techniques, and Procedures (TTPs) as they adapt to circumvent both legacy and next-generation endpoint protections.
Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!
