Attackers Utilize Obfuscation Tools for Multi-Stage Malware Delivery via Invoice Phishing

Home/BOTNET, Compromised, Internet Security, malicious cyber actors, Mobile Security, phishing, Security Advisory, Security Update/Attackers Utilize Obfuscation Tools for Multi-Stage Malware Delivery via Invoice Phishing

Attackers Utilize Obfuscation Tools for Multi-Stage Malware Delivery via Invoice Phishing

Cybersecurity researchers uncover a complex multi-stage attack employing invoice-themed phishing decoys to distribute various malware, including Venom RAT, Remcos RAT, XWorm, NanoCore RAT, and a crypto wallet stealer.

All about the malware


Email messages contain Scalable Vector Graphics (SVG) file attachments that, when clicked, trigger the infection sequence, as detailed in a technical report by Fortinet FortiGuard Labs.

The modus operandi stands out for leveraging the BatCloak malware obfuscation engine and ScrubCrypt to distribute malware via obfuscated batch scripts.

BatCloak, available for purchase by other threat actors since late 2022, is rooted in another tool called Jlaive. Its key function is to load a next-stage payload while evading traditional detection methods.

ScrubCrypt, initially identified by Fortinet in March 2023 during a cryptojacking campaign attributed to the 8220 Gang, is believed to be a variation of BatCloak, as per Trend Micro’s research last year.

In the latest campaign, the SVG file drops a ZIP archive containing a BatCloak-generated batch script, which unpacks the ScrubCrypt batch file to execute Venom RAT while establishing persistence and bypassing AMSI and ETW protections.

Venom RAT, a Quasar RAT fork, empowers attackers to seize control of compromised systems, gather sensitive data, and execute commands from a command-and-control (C2) server.

Security researcher Cara Lin stated, “While Venom RAT’s core functionality may seem simple, it establishes communication with the C2 server to acquire additional plugins for various tasks.” These include Venom RAT v6.0.3 with keylogger capabilities, NanoCore RAT, XWorm, and Remcos RAT.

Lin added, “This [Remcos RAT] plugin was disseminated from VenomRAT’s C2 using three methods: an obfuscated VBS script named ‘remcos.vbs,’ ScrubCrypt, and GuLoader PowerShell.”

The plugin system also delivers a stealer that collects system information and extracts data from wallet and application folders, such as Atomic Wallet, Electrum, Ethereum, Exodus, Jaxx Liberty (retired as of March 2023), Zcash, Foxmail, and Telegram, to a remote server, as noted by Lin in her analysis of the sophisticated attack utilizing obfuscation and evasion techniques to distribute VenomRAT through ScrubCrypt.

“The attackers utilize diverse methods such as phishing emails with malicious attachments, obfuscated script files, and Guloader PowerShell to infiltrate victim systems, showcasing the adaptability of the attack campaign demonstrated by deploying plugins through various payloads.”

IOCs

C2

hjkdnd[.]duckdns[.]org
mup830634[.]duckdns[.]org
markjohnhvncpure[.]duckdns[.]org
homoney177[.]duckdns[.]org
febvenom8[.]duckdns[.]org
rachesxwdavid[.]duckdns[.]org

URLs

hxxps://nanoshd[.]pro/files/new_image.jpg?14441723
hxxps://nanoshield[.]pro/new_image2.jpg?166154725
hxxps://kisanbethak[.]com/P/
hxxps://kisanbethak[.]com/K/

Files

06779e1015bd7dd2012ad03f7bb3f34e8d99d6ca41106f89cb9fb1ec46fe034e
0b5631041336a58ab859d273d76c571dd372220dfa1583b597a2fe5339ad4bf7
0f1d6aab547ceca6e71ac2e5a54afdaea597318fe7b6ca337f5b92fdff596168
2373840bc455d601551304ec46c281b218e90a91dce3823709c213814636e899
258578c03ca314ac3a636a91e8b3245230eae974cf50799d89b3f931e637014c
411ad772af94a042413af482a2ef356d3217bcc5123353e3c574347cb93e3d5a
4a4b5c22c877437c359ef2acaeeb059881da43b11798581cf2f31c2c83fc3418
4cda23993d793ef070be7b9066f31a45b10c1e72d809f4a43726da977a0069d8
51ecf11a64e934409bfada2b6f0c4d89c3420ca95640bc88f928906e6f0b4832
53a522051e0319176dece493b7e2543135ed41c402adbfeda32a5f6be7d68175
546a85e384ced3d4535bad16a877ecd36a79849c379c5daa357689116f042c1b
5c5caa3182d6b121c1445d6ca81134ec262cd5ea4f9ef1944f993b63d1987647
5f1746b4bd8d94d4d3feb1e2d4a829b6c3bab9341e272341f4b3a1da01d20745
6aaff578555cb82159a9c16a159f0437c39b673744e0c537c4b7f0f67f56c5d9
6ac5c7284aaa0c195723df7a78ae610a7ee096b3b5bc19f6838451acd438116e
71a22bed7ab5a26158fc1cf1b7bb87146254672483aad72736817ff16e656c7b
7d7a710e3c0e5da830213f9b72f44a72d721adcf17abc838f28286dde8a1e8d9
7d9c8d44554ee10310805920afb51249a1e8cd3e32b430e8c9638fec316913d3
85790dad1a0af5febd7d90e0ec9ce680ec87dcc31a94a25bfb454bb121164bfd
8e97019f8c4712f1fc9728c4706112a5ef85a05aa809985709faef951925e094
94b2e06e45407f193cfe58e18f5c250bbd1b8e857a754f1c366913129b9dada7
bee35a9d30d6f69cd6d173c6a6a93110cac59ab3710e32eced6f266581e88b87
cd1364d8c7f6f0246ed91cd294e2e506e7c94ba2f9a33c373c6fcfe04bbe17e7
d04bf1a9f6014bf4bcdb3ac4eb6d85bcc4159ae25a7f00c4493cbcb8e892e159
d05ad3dc62e1dc45fd31dc2382c1ea5e5f26f4f7692cb2ef8fd1c6e74b69fa16
dc2c1694d363d78cdfed0574cf51413b9b48d932e076033bb76cf69a4470b7e9
dceea68a037376b323d2a934f9fdc59bfbd2c2c0ed66014bdf059f403f4dc6f2
e190d172b7d3c7f1055052f0ed3da5d5979a8a2b622ca2fbcea90774a5bf6008
f02c04bc428694a11917375f41ecb7c7aa326cf242b4c56ed1e7b3ae14d5dd68
f4164be3d357682754559aa32ea74c284eee64140d3f56a63a225d5de10d051c

About the Author:

FirstHackersNews- Identifies Security

Leave A Comment

Subscribe to our newsletter to receive security tips everday!