Photo: wk1003mike / Shutterstock.com
Threat actors are using intricate tactics and tools, including ScrubCrypt, an antivirus evasion tool renowned for converting executables into undetectable batch files, to deploy VenomRAT, a potent remote access trojan (RAT).
The attack initiation involves the distribution of phishing emails containing malicious Scalable Vector Graphics (SVG) fields. These emails entice unsuspecting victims to click on attachments, leading to the deployment of VenomRAT, a sophisticated malware with extensive capabilities for system manipulation.
ScrubCrypt plays a strategic role in the attack’s evasion and persistence strategies. It employs AES-CBC decryption and GZIP compression to obfuscate its payloads, rendering them obscure to security systems. This level of obfuscation extends to the BatCloak tool, which is used to obscure batch files and further evade detection.
Upon successful execution, VenomRAT establishes a connection with a command and control (C2) server, granting threat actors remote control over compromised systems. The attack’s sophistication is evident in VenomRAT’s ability to bypass security measures like AMSI (Antimalware Scan Interface) and ETW (Event Tracing for Windows), enabling it to operate stealthily within victim environments.
Fortinet researchers discovered that the attackers enhanced their capabilities by deploying plugins alongside VenomRAT. These plugins, including NanoCore, Remcos, XWorm, and a specialised stealer for crypto wallets, expanded the attack’s reach, facilitating keylogging, data theft, and unauthorised system access.
NanoCore, a notorious RAT known for remote control functionalities, is distributed via obfuscated VBS files and employs steganographic methods to conceal malicious code within images. Remcos, originally legitimate remote management software, is repurposed to gain complete control over compromised systems, capturing sensitive information like keystrokes and credentials.
The attackers maintain sophisticated evasion and persistence techniques throughout the process. ScrubCrypt’s cluttered and obfuscated bath files and VenomRAT’s use of scheduled tasks and PowerShell commands create layers of obfuscation against detection and mitigation efforts.
Furthermore, the attackers demonstrate adaptability by leveraging multiple distribution channels, such as phishing emails, obfuscated scripts, and PowerShell commands via Guloader, ensuring widespread infiltration and operational success.
Researchers have urged users to take measures to implement advanced threat detection, employee training, establishing endpoint security, and continuous monitoring to mitigate the threat of these attacks.
In the News: 92,000 D-Link devices exposed to command injection and backdoor
