Ddos 
VenomRAT Attack Chain | Image: Forcepoint
Threat actors are constantly evolving their methods to slip past security measures and deliver malware. A recent report by Forcepoint highlights a particularly insidious technique: using virtual hard disk image files to distribute the VenomRAT malware. This method allows attackers to bypass traditional security measures, infect systems, and exfiltrate data.
The attack begins with a phishing email, often using a purchase order as a lure to entice users to open the attachment. This email contains an archive attachment, which, when extracted, reveals a hard disk image (.vhd) file. Upon opening, this file mounts itself as a hard disk drive. Inside, a batch script executes malicious activities using PowerShell, sending sensitive information to malicious command-and-control (C2) servers.
The batch file within the .vhd image is heavily obfuscated, employing multiple layers of concealment, including garbage characters, Base64, and AES encryption. “Threat actors always like to find new ways to deliver malware undetected to target large communities,” and this obfuscation is a key part of their strategy. Once executed, the .BAT file spawns a PowerShell script that drops files into the Startup folder to achieve persistence.
The attack doesn’t stop there. The malware exploits legitimate services like Pastebin[.]com to host the C2 server, where exfiltrated data is stored. This clever use of trusted platforms helps the attackers to further evade detection.
In some cases, when the script is executed while PowerShell is running, it drops a .NET compiled executable along with a config file. This .NET file is crucial for network connections, system checks, file/folder/directory modifications, and AES decryption. The report also details the creation of files like “DataLogs_keylog_online.txt” to capture keystrokes and other sensitive data.
Analysis of the config file reveals the presence of VenomRAT, utilizing HVNC (Hidden Virtual Network Computing) services, and version 6.XX, along with the AES key used for decryption.
“RATs like VenomRAT are pretty common these days and they will continue to use new techniques to deliver malware,” the report concludes. The use of virtual hard disk images to deliver malware is a “unique twist” in the ongoing cat-and-mouse game between cyber defenders and threat actors. As attackers continue to innovate, it is crucial for organizations and individuals to stay vigilant and adopt robust security measures.
Donate