ScrubCrypt Hacking Tool Delivers 4 Different Malware Via SVG File To Attack Windows

Categories:

Attackers use phishing emails with SVG attachments to trick users into downloading a ZIP file containing a malicious batch script using BatCloak obfuscation and ScrubCrypt to deploy VenomRAT on compromised Microsoft Windows machines. 

VenomRAT then connects to a command and control server to download additional malware, including Remcos, XWorm, NanoCore, and a cryptocurrency wallet stealer. This highlights the evolving techniques attackers use to bypass traditional security solutions. 

Attack chain

A phishing email with a malicious SVG attachment initiates the attack by exploiting a browser vulnerability to drop a ZIP file containing an obfuscated batch script. 

Phishing email

The script, likely generated by BatCloak, uses PowerShell to download a malicious payload disguised as an image file, execute it in a hidden manner and then delete all traces of its activity. 

Decoded data “pointer.png”

ScrubCrypt, a malicious batch script disguised as “pointer.cmd,”  uses Base64-encoded payloads and AES-CBC decryption to deploy two functionalities. 

ScrubCrypt batch file

According to Fortinet, the first payload establishes persistence by checking for admin rights: if granted, it schedules a task to run itself at login under the privileged “OneNote 83701” name. 

Otherwise, it copies itself to the Startup folder and loads and executes an assembly containing VenomRAT, while the second payload bypasses security measures like AMSI and ETW. 

Invoke VenomRAT

Venom RAT Plugins:

VenomRAT, a RAT derived from QuasarRAT, utilizes Base64-encoded and AES-CBC encrypted configurations to establish connections with its C2 server. After initial communication to transmit victim information, VenomRAT maintains persistent communication channels to receive additional plugins. 

The plugins, delivered as “save_Plugin” directives, are typically DLLs like “SendFile.dll” that can parse further malicious instructions upon receiving “plug_in” files from the C2 server. 

Saved plugin data in a registry

The functionality of these plugins seems to vary based on the extracted filenames, potentially enabling the execution of PowerShell commands for various malicious purposes.  

VenomRAT uses “SendFile.dll” to invoke plugin data

ScrubCrypt deploys Venom RAT v6.0.3, which has keylogging functionality with a heavily obfuscated script within ScrubCrypt and bypasses AMSI and ETW security measures.

Venom RAT then steals various data and transmits it to a C2 server hosted on Pastebin. 

VenomRAT with Grabber and Keylogger

The NanoCore RAT uses a compromised device’s obfuscated VBS script to download a steganographic image that conceals encoded.NET malware within its data, which establishes persistence, checks for virtual environments, fetches additional data, and executes NanoCore using RegAsm. 

NanoCore

VenomRAT injects XWorm, a RAT, through a VBS script disguised as a plugin by triggering a PowerShell download that obfuscates the next stage using junk comments and process hollowing to inject XWorm’s final shellcode.  

 XWorm

Remcos, a malicious RAT disguised as remote management software, grants attackers full control of compromised systems after being delivered through phishing campaigns whose configuration, encrypted within the “SETTINGS” resource, can be decrypted to reveal details of its operation. 

ScrubCrypt .NET file loads Remcos from resource data “P”

The stealer plugin, delivered through obfuscated VBS and.NET, injects a payload that steals crypto wallet data, Foxmail, and Telegram info by searching for relevant apps by path and registry key and transmits stolen data with an execution path to the C2 server. 

 Hardcoded payload

The Indicators of Compromise (IOCs) consist of malicious URLs and domain names likely used for C2 communication  pointing to image files and potentially obfuscated malicious content. 

The domain names consist of several subdomains under duckdns.org, potentially used for hosting malware or phishing sites and a list of file hashes, possibly malware samples, was also identified.  

Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Co-Founder & Editor-in-Chief - Cyber Press Inc.,

Recent Articles

Related Stories

LEAVE A REPLY

Please enter your comment!
Please enter your name here