Cybercriminals Utilize Advanced Obfuscation Techniques to Deliver Venom RAT and Other Malware
In a recent revelation by cybersecurity experts, a complex multi-stage cyber attack has been unearthed, employing invoice-themed phishing tactics to distribute a plethora of malware including Venom RAT, Remcos RAT, XWorm, NanoCore RAT, and a cryptocurrency wallet stealer.
The attack mechanism entails the use of email messages containing Scalable Vector Graphics (SVG) file attachments, which trigger the infection sequence upon interaction, as detailed in a report by Fortinet FortiGuard Labs.
A distinguishing feature of this modus operandi is the utilization of sophisticated obfuscation tools such as BatCloak malware obfuscation engine and ScrubCrypt to deploy the malware via obfuscated batch scripts.
BatCloak, which has been available for purchase in the cybercriminal underground since late 2022, is designed to load subsequent payloads in a manner that evades traditional detection methods, based on its predecessor tool Jlaive.
Moreover, ScrubCrypt, initially identified by Fortinet in March 2023 during a cryptojacking campaign linked to the 8220 Gang, is believed to be an iteration of BatCloak, according to research from Trend Micro.
In the latest wave of attacks scrutinized by cybersecurity analysts, the SVG file acts as a gateway to introduce a ZIP archive housing a batch script likely generated using BatCloak. This script then unpacks the ScrubCrypt batch file, eventually executing Venom RAT after establishing persistence on the compromised system and bypassing various security mechanisms.
Venom RAT, derived from Quasar RAT, empowers attackers to seize control of compromised systems, harvest sensitive data, and execute commands received from a command-and-control (C2) server. It also facilitates the deployment of additional plugins for various malicious activities.
Among these plugins, Remcos RAT is distributed via obfuscated VBS scripts, ScrubCrypt, and Guloader PowerShell. Additionally, a stealer module is deployed through the plugin system to extract information from crypto wallets and applications like Atomic Wallet, Electrum, Ethereum, and others, sending the pilfered data to a remote server.
This sophisticated attack underscores the adeptness of cybercriminals in employing multiple layers of obfuscation and evasion techniques to propagate Venom RAT via ScrubCrypt. By leveraging phishing emails, obfuscated script files, and Guloader PowerShell, the attackers demonstrate adaptability and resourcefulness in infiltrating and compromising victim systems.
