Cagey Phishing Campaign Delivers Multiple RATs to Steal Windows Data

A newly exposed corporate phishing campaign targeting Microsoft Windows users is delivering a flurry of remote access Trojans (RATs) and other malware under the cover of multiple detection-evasion techniques.

The attackers behind the campaign try to lure users into clicking on an attachment that ultimately employs the tool ScrubCrypt to deliver primarily the VenomRAT version 6, although various other oft-used malware also are associated with the campaign, researchers from Fortinet's FortiGuard Labs Threat Research revealed in a blog post.

While the RAT maintains a connection with attackers' command-and-control (C2) server, the attack drops plug-ins including Remcos RAT, XWorm, NanoCore RAT, and a stealer designed for specific crypto wallets, according to the researchers.

Ultimately the campaign is aimed at stealing critical data from targeted systems — ostensibly to be used in future attacks — as well achieving persistence on a victim's network, according to the post.

"The attackers employ a variety of methods, including phishing emails with malicious attachments, obfuscated script files, and Guloader PowerShell, to infiltrate and compromise victim systems," wrote Cara Lin, senior antivirus analyst at Fortinet. "Furthermore, deploying plugins through different payloads highlights the versatility and adaptability of the attack campaign."

VenomRAT is a tool used previously by the 8220 Gang, a cybercriminal group that uses a powerful botnet as its weapon of choice. ScrubCrypt, meanwhile, converts executables into undetectable batch files, providing "several options to manipulate malware, making it more challenging for antivirus products to detect," Lin noted.

Phony Invoice Phish

The campaign typically starts with a phishing email stating that a shipment has been delivered with an attached "invoice" that is actually an SVG file named "INV0ICE_#TBSBVS0Y3BDSMMX.svg" and contains embedded base64-encoded data.

If a targeted user opens the SVG file, the ECMAScript creates a new blob and utilizes "window.URL.createObjectURL" to drop the decoded data as a ZIP file named "INV0ICE_#TBSBVS0Y3BDSMMX.zip." The decompressed file reveals an obfuscated batch file with an embedded payload that appears to be created by the BatCloak tool, which distributes malware while effectively evading detection by antivirus program, Lin explained.

The embedded script initially copies a PowerShell execution file to "C:\Users\Public\xkn.exe" and utilizes the copied file in later commands, using parameters that conceal its activity. It then decodes the malicious data and saves it as "pointer.png," which is later executed as "pointer.cmd" and deletes all the previously executed files.

ScrubCrypt Delivers VenomRAT

The "pointer.cmd" file serves as the ScrubCrypt batch file, and it's "deliberately cluttered with numerous junk strings to obscure readability," Lin wrote. The file incorporates two payloads, the first of which serves two primary purposes: establishing persistence and loading the targeted malware, VenomRAT. The second payload from the ScrubCrypt batch file is for AMSI bypass and ETW bypass, she noted.

VenomRAT was first identified in 2020 and uses a modified version of the well-known Quasar RAT. It allows attackers to gain unauthorized access and control over targeted systems. "As with other RATs, VenomRAT enables attackers to manipulate compromised devices remotely, allowing them to execute various malicious activities without the victim's knowledge or consent," Lin wrote.

Once deployed, VenomRAT initiates communication with its C2 server to send information about the victim, such as hardware specifications, username, operating system details, camera availability, execution path, foreground window name, and the name of the antivirus product installed. It then maintains communication channels with the C2 server to acquire the aforementioned additional plugins for related and other malicious activities as the attack continues from there, Lin wrote.

Notable among those plugins are three RATs often used for various nefarious purposes, including the Remcos RAT, which gives attackers complete system control to capture keystrokes, screenshots, credentials, and other sensitive information; NanoCore RAT, which can remotely access and control a victim's computer; and Xworm, which can load ransomware or act as a persistent backdoor.

Vigilance Required

Because this cyberattack campaign uses multiple layers of obfuscation and evasion techniques, it's important for enterprises to stay vigilant.

"The attackers' ability to persist in the system, evade detection, and execute malicious payloads underscores the importance of robust cybersecurity measures and vigilant monitoring to mitigate such threats effectively," Lin noted.

Organizations should educate users about the hallmark signs of phishing campaigns and encourage them to report suspicious activity to IT departments, as well as avoid downloading files or clicking on links from untrusted sources.

Despite its evasive tactics, a strong antivirus-detection system should pick up the malware entering a network, and one that includes a content disarm-and-reconstruction service also is helpful to disable the malicious macros in the document before they can do any harm, Lin wrote.

Fortiguard included a list of indicators of compromise for the specific VenomRAT campaign in the post, including associated C2 domains, URLs associated with the attack, and files the attack distributes.