Cybersecurity researchers have uncovered a complex multi-stage attack that utilizes invoice-themed phishing emails to distribute a range of malware, including Venom RAT, Remcos RAT, XWorm, NanoCore RAT, and a crypto wallet stealer.
According to a technical report from Fortinet FortiGuard Labs, the attack begins with email messages containing Scalable Vector Graphics (SVG) file attachments. Clicking on these SVG files initiates the infection process.
One notable aspect of this attack is the use of the BatCloak malware obfuscation engine and ScrubCrypt to deliver the malware in the form of obfuscated batch scripts. BatCloak, a tool available for purchase since late 2022, is designed to load next-stage payloads while evading traditional detection methods. ScrubCrypt, previously linked to the 8220 Gang's cryptojacking campaign, is considered an iteration of BatCloak.
In this campaign, the SVG file serves as a conduit for dropping a ZIP archive containing a batch script likely created using BatCloak. This script unpacks the ScrubCrypt batch file, ultimately executing Venom RAT while establishing persistence on the host and bypassing AMSI and ETW protections.
Venom RAT, a fork of Quasar RAT, allows attackers to take control of compromised systems, gather sensitive information, and execute commands received from a command-and-control (C2) server. It supports various plugins, including NanoCore RAT, XWorm, and Remcos RAT.
The Remcos RAT plugin is distributed via Venom RAT's C2 using obfuscated VBS scripts, ScrubCrypt, and GuLoader PowerShell. Additionally, a stealer is deployed to gather system information and extract data from cryptocurrency wallet folders associated with Atomic Wallet, Electrum, Ethereum, Exodus, Jaxx Liberty, Zcash, Foxmail, and Telegram, sending this information to a remote server.
Security researcher Cara Lin highlighted the sophistication of this attack, which employs multiple layers of obfuscation and evasion techniques to distribute and execute Venom RAT via ScrubCrypt. The attackers utilize phishing emails with malicious attachments, obfuscated script files, and Guloader PowerShell to compromise victim systems, demonstrating adaptability and versatility in their attack campaign.