Attackers Using Obfuscation Tools to Deliver Multi-Stage Malware via Invoice Phishing

Security researchers have uncovered a complex multi-stage cyber attack employing invoice-themed phishing lures to distribute various types of malware, including Venom RAT, Remcos RAT, XWorm, NanoCore RAT, and a cryptocurrency wallet stealer.

According to a technical report from Fortinet FortiGuard Labs, the malicious emails contain Scalable Vector Graphics (SVG) file attachments. Clicking on these files triggers the infection process.

What stands out in this attack is the use of the BatCloak malware obfuscation tool and ScrubCrypt to deliver malware through obfuscated batch scripts.

BatCloak, available for purchase since late 2022, is based on a tool called Jlaive. Its main function is to load a next-stage payload in a way that evades traditional detection methods.

ScrubCrypt, initially identified by Fortinet in March 2023 during a cryptojacking campaign attributed to the 8220 Gang, is believed to be a variant of BatCloak, as indicated by research from Trend Micro.

In the recent campaign scrutinized by the cybersecurity company, the SVG file acts as a conduit for dropping a ZIP archive containing a batch script, likely crafted using BatCloak. This script then unpacks the ScrubCrypt batch file to execute Venom RAT. However, before doing so, it establishes persistence on the host and takes measures to bypass AMSI and ETW protections.

Venom RAT, a derivative of Quasar RAT, empowers attackers to take control of compromised systems, harvest sensitive data, and execute commands issued from a command-and-control (C2) server.

According to security researcher Cara Lin, although Venom RAT's core functionality may seem straightforward, it establishes communication channels with the C2 server to obtain additional plugins for diverse activities. These plugins include Venom RAT v6.0.3 with keylogging capabilities, NanoCore RAT, XWorm, and Remcos RAT.

Lin noted that the Remcos RAT plugin was disseminated from VenomRAT's C2 server through three methods: an obfuscated VBS script named 'remcos.vbs,' ScrubCrypt, and Guloader PowerShell.

Additionally, a data-stealing component is deployed through the plugin system, which collects system information and extracts data from directories associated with various wallets and applications, such as Atomic Wallet, Electrum, Ethereum, Exodus, Jaxx Liberty (which was retired as of March 2023), Zcash, Foxmail, and Telegram. This data is then sent to a remote server.

Lin's analysis underscores a sophisticated attack strategy that employs multiple layers of obfuscation and evasion techniques to distribute and execute VenomRAT via ScrubCrypt.

"The attackers utilize various tactics, including phishing emails containing malicious attachments, obfuscated script files, and Guloader PowerShell, to infiltrate and compromise victim systems. Moreover, the deployment of plugins through different payloads highlights the adaptability and versatility of the attack campaign," Lin emphasized.