Cybersecurity researchers have uncovered a sophisticated multi-stage attack that utilizes invoice-themed phishing lures to deliver various malware such as Venom RAT, Remcos RAT, XWorm, NanoCore RAT, and crypto wallet targeting Stealing program.
Fortinet FortiGuard Labs said in a technical report that the emails contained scalable vector graphics (SVG) file attachments that, when clicked, would initiate the infection sequence.
The modus operandi is notable for using the BatCloak malware obfuscation engine and ScrubCrypt to deliver the malware in the form of obfuscated batch scripts.
Since late 2022, BatCloak has been sold to other threat actors and is based on another tool called Jlaive. Its main function is to load the next stage payload in a way that bypasses traditional detection mechanisms.
ScrubCrypt is a cryptor first documented by Fortinet in March 2023 in connection with cryptojacking campaigns orchestrated by the 8220 Gang, and according to Trend Micro research last year, ScrubCrypt was assessed as one of the iterations of BatCloak.
In the latest campaign analyzed by the cybersecurity firm, SVG files serve as conduits for deleting ZIP files, which contain batch scripts that may have been created using BatCloak, and then decompressed the ScrubCrypt batch file to ultimately execute the Venom RAT, but not in the configuration Before performing persistence on the host and taking steps to bypass AMSI and ETW protection.
Venom RAT is a fork of Quasar RAT that allows attackers to seize control of infected systems, collect sensitive information, and execute commands received from command and control (C2) servers.
“While the main program of Venom RAT may appear simple, it maintains a communication channel with the C2 server to obtain additional plug-ins for various activities,” said security researcher Cara Lin. These include Venom RAT v6.0.3, NanoCore RAT, XWorm and Remcos RAT with keylogging capabilities.
“this [Remcos RAT] The plug-in was distributed from VenomRAT’s C2 using three methods: an obfuscated VBS script named ‘remcos.vbs’, ScrubCrypt, and Guloader PowerShell,” Lin added.
Using the plugin system also provides a stealer that collects information about the system and steals data from folders related to wallets and applications such as Atomic Wallet, Electrum, Ethereum, Exodus, Jaxx Liberty (in March 2023 deactivated), Zcash, Foxmail and Telegram to remote servers.
“This analysis reveals a sophisticated attack that leverages multiple layers of obfuscation and evasion techniques to distribute and execute VenomRAT via ScrubCrypt,” said Lin.
“The attackers used a variety of methods, including phishing emails with malicious attachments, obfuscated script files, and Guloader PowerShell, to infiltrate and compromise victim systems. Additionally, the campaign was highlighted by the deployment of plugins through different payloads of versatility and adaptability.”
3 Comments
Pingback: Attackers use obfuscation tools to deliver multi-stage malware via invoice phishing – Tech Empire Solutions
Pingback: Attackers use obfuscation tools to deliver multi-stage malware via invoice phishing – Paxton Willson
Pingback: Attackers use obfuscation tools to deliver multi-stage malware via invoice phishing – Mary Ashley