Ddos 
Hackers have once again employed rarely used yet remarkably effective techniques to compromise systems—this time by disguising malware as VBScript files bearing the .VBE extension. A campaign uncovered by Seqrite Labs reveals the deployment of an enhanced variant of the Masslogger infostealer, underscoring the escalating sophistication of phishing operations where malicious payloads never touch the disk, instead operating entirely from within the Windows Registry.
The attack is initiated via the execution of an encrypted .VBE script, which is decrypted in memory and layered with obfuscation designed to thwart analysis. The payload proceeds to construct a complex architecture of keys and values under the HKCU\Software branch of the Windows Registry, storing fragments of the primary malicious module—each approximately 25,000 characters in length. To ensure persistence, a task is registered in the Windows Task Scheduler to execute a script every minute that simulates user input and triggers the loading of the payload through PowerShell.
The installation unfolds in multiple stages. First, a compact .NET binary—Stager-1—is retrieved from the registry and executed to activate Stager-2, which ultimately deploys the core Masslogger module via injection into the legitimate AddInProcess32.exe process. This technique, known as process hollowing, enables the malware to operate invisibly, even under the scrutiny of advanced security solutions.
In its final phase, Masslogger pivots toward harvesting sensitive information. It captures login credentials from browsers (including Chrome), intercepts data from email clients, records keystrokes, and monitors user activity. The exfiltrated data can be transmitted via multiple channels—FTP, SMTP, or the Telegram Bot API—with the necessary credentials hardcoded directly into the malware.
Of particular note is its anti-analysis mechanism. The malware inspects registry keys to determine the presence of active antivirus solutions and aborts execution if it detects multiple concurrent security layers. Furthermore, a geo-targeted behavior was observed: if the system is identified as French, the malware attempts to fetch an additional payload from a hardcoded URL, which was inaccessible at the time of analysis.
As the final step in its infection cycle, the malware wipes its traces: processes such as conhost.exe and PowerShell.exe are terminated to erase command history and purge residual memory artifacts.
This campaign highlights the critical importance of implementing behavioral analytics and registry monitoring as foundational pillars of cybersecurity defense. Traditional signature-based methods are powerless against such multi-layered, memory-resident threats—especially when no artifacts are written to disk.
Related Posts:
- Evasive Phishing Campaign Delivers AsyncRAT and Infostealer
- Microsoft announces deprecation of VBScript in Windows
- Obscure VBScript “sostener.vbs” Unmasked: Fuels Multi-Stage RAT Delivery, Linked to Blind Eagle APT
- Non-Malware (or Fileless) Attack: five knowledge points
- GrimResource: A New Cybersecurity Threat Exploiting Microsoft Management Console
Donate