Affected Platforms: Microsoft Windows
Impacted Users: Microsoft Windows
Impact: The stolen information can be used for future attack
Severity Level: High
Last year, FortiGuard Labs uncovered the 8220 Gang’s utilization of ScrubCrypt to launch attacks targeting exploitable Oracle WebLogic Servers. ScrubCrypt has been described as an “antivirus evasion tool” that converts executables into undetectable batch files. It offers several options to manipulate malware, making it more challenging for antivirus products to detect.
We recently discovered a threat actor distributing a phishing email containing malicious Scalable Vector Graphics (SVG) files. The email lures victims into clicking on an attachment, which downloads a ZIP file containing a Batch file obfuscated with the BatCloak tool. ScrubCrypt is then used to load the final payload, VenomRAT while maintaining a connection with a command and control (C2) server to install plugins on victims’ environments. The plugin files downloaded from the C2 server include VenomRAT version 6, Remcos, XWorm, NanoCore, and a stealer designed for specific crypto wallets.
This article provides detailed insights into how the threat actor distributes VenomRAT and other plugins.
Figure 1: Attack chain
Initial Access
The attacker initiates the attack by sending a phishing email stating that a shipment has been delivered. It also includes an attached invoice. The attachment is an SVG file named “INV0ICE_#TBSBVS0Y3BDSMMX.svg,” which contains embedded base64-encoded data.
Figure 2: Phishing email
After victims open the SVG file, the ECMAScript creates a new blob and utilizes “window.URL.createObjectURL” to drop the decoded data as a ZIP file named “INV0ICE_#TBSBVS0Y3BDSMMX.zip.”
Figure 3: SVG file that drops ZIP file
The decompressed file is an obfuscated batch file that embeds its payload in the section “——BEGIN X509 CRL—–.” Based on the decoded comment in the first line, it is presumed that this batch file was created by the BatCloak tool, known for using heavily obfuscated batch files to deploy various malware families. BatCloak has been employed since 2022 to distribute malware while effectively evading detection by antivirus programs.
The script initially copies a PowerShell execution file to “C:UsersPublicxkn.exe” and utilizes the copied file in later commands. It includes parameters in each command, “-WindowStyle hidden -inputformat none -outputformat none -NonInteractive,” to conceal its activity from the victim’s notice. It then decodes the malicious data and saves it as “pointer.png.” After hex-decoding, the result is saved as a “pointer” and moved to “C:UsersPublicLibrariespointer.cmd.” Upon executing “pointer.cmd,” it employs “cmd /c del” to delete all the files mentioned above.
Figure 4: The obfuscated batch file
Figure 5: The de-obfuscated script
Figure 6: Decoded data “pointer.png”
ScrubCrypt
The “pointer.cmd” file serves as the ScrubCrypt batch file. It is deliberately cluttered with numerous junk strings to obscure readability. It incorporates two payloads encoded in Base64 format and employs AES-CBC decryption and GZIP compression to decompress them. It uses the PowerShell command “[System.Reflection.Assembly]::Load” to load the decrypted .NET assembly from a byte array, accessing its entry point method and invoking that method to initiate the execution of the assembly’s code.
Figure 7: ScrubCrypt batch file
Figure 8: Reorganized ScrubCrypt batch file
The first payload serves two primary purposes: establishing persistence and loading the targeted malware. It determines whether the current user is part of the built-in Administrator role in a Windows operating system to configure its persistence settings. Additionally, it checks for the presence of any debugger. If found, it terminates the program to avoid detection.
Figure 9: Main function
If the current user holds Administrator privileges, the program duplicates itself to “%AppData%/strt.cmd” and utilizes a PowerShell command to establish a scheduled task named “OneNote 83701.” This task triggers upon user login, executes “strt.cmd,” and operates with elevated privileges. Conversely, if the user lacks Administrator permissions, the program duplicates itself to the “StartUp” folder under the filename “strt.cmd.”
Figure 10: Persistence setting
Finally, it loads an assembly from an embedded resource named “P,” which contains a compressed assembly. It then invokes the entry point method of the loaded assembly to execute VenomRAT.
Figure 11: Invoke VenomRAT
The second payload from the ScrubCrypt batch file is for AMSI bypass and ETW bypass.
Figure 12: 2nd Decrypted payload from ScrubCrypt Batch file
Figure 13: AMSI and ETW bypass
VenomRAT
VenomRAT is a remote access Trojan (RAT) first identified in 2020. It is a modified version of the well-known Quasar RAT and is distributed through malicious attachments in spam emails. Cybercriminals utilize it to gain unauthorized access and control over targeted systems. As with other RATs, VenomRAT enables attackers to manipulate compromised devices remotely, allowing them to execute various malicious activities without the victim’s knowledge or consent.
The fundamental configurations of VenomRAT are Base64-encoded, and AES-CBC encrypted. The decrypted data is shown in Figure 14.
Figure 14: Initial setting in VenomRAT
After completing environmental checks, VenomRAT initiates communication with its C2 server. The initial packet transmitted contains basic information about the victim, such as hardware specifications, username, operating system details, camera availability, execution path, foreground window name, and the name of the antivirus product installed.
Figure 15: Packet for client information
All C2 sessions are encrypted using the certificate specified in its configuration. By debugging the program, we extracted and decompressed the packets, revealing the keep-alive sessions established with the C2 server.
Figure 16: Encrypted C2 sessions
Figure 17: Keep-alive message
While VenomRAT’s primary program may appear straightforward, it maintains communication channels with the C2 server to acquire additional plugins for various activities. The assembly responsible for parsing packets from the server is outlined below. Upon receiving the “save_Plugin” directive from the server, it can decompress the data and save it to the registry.
Figure 18: VenomRAT handles packets
Figure 19: Saved plugin data in a registry
The “save_Plugin” data comprises a DLL file named “SendFile,” which can parse other “plug_in” files sent from the C2 server. If a plugin file with the same name is already in the victim’s environment, it deletes the existing file and creates a new one with the current data. After decompressing the “plug_in” packet data, it examines the “Filename” to determine which PowerShell command to employ.
Figure 20: “SendFile.dll” handles other plugin data
In Figure 21, once a “plugin” packet is received from the server, VenomRAT reads the registry to fetch the data for “SendFile.dll” and executes the payload contained within the plugin.
Figure 21: Received plugin data from the C2 server
Figure 22: VenomRAT uses “SendFile.dll” to invoke plugin data
In the following sections, we’ll elaborate on the plugins provided by the VenomRAT C2 server.
Plugin 1 – Venom RAT v6.0.3
The first plugin is embedded in ScrubCrypt and loads without landing any execution file in the victim’s environment, which perfectly hides its trace. The second payload from the ScrubCrypt Batch file is called “ScrubBypass.” This file is highly obfuscated to hide the code flow, functions, and strings. ScrubBypass’s main jobs are patching the AMSI scan buffer and EtwEventWrite to achieve AMSI and ETW bypass.
Figure 23: ScrubBypass
The plugin VenomRAT is version 6.0.3. It has a Keylogger function and stores its C2 server information on the Pastebin website. It collects multiple data types, monitors the victim’s keyboard activities, and persistently sends stolen data to the C2 server.
Figure 24: VenomRAT with Grabber and Keylogger
Figure 25: Configuration
Plugin 2 – NanoCore
NanoCore is a notorious Remote Access Trojan (RAT) first discovered in 2013. It is known for its ability to remotely access and control a victim’s computer, often without their knowledge. It continues to be relevant in the cybercrime world due to its source code being leaked and widely distributed in underground forums. This plugin is distributed to compromised devices by an obfuscated VBS file, shown in Figure 26.
Figure 26: Obfuscated VBS script
The script stores the data for the next stage on the website “hxxps://nanoshield[.]pro/files,” which also serves as a Crypter service provider. Initially, it retrieves a JPG file and decodes the target section using the reversed URL as a parameter. Although accessing the second URL, “hxxps://nanoshd[.]pro/files/new_image.jpg?14441723,” was unsuccessful, modifying the hostname to “nanoshield.pro” allowed us to access to a similar file, as seen in the first URL ”hxxps://nanoshield[.]pro/new_image2.jpg?166154725.”
Figure 27: Decoded VBS script
Figure 28: JPG files
The JPG file employs steganographic methods to conceal code inside the picture, embedding malware data encoded in Base64 between the tags <<BASE64_START>> and <<BASE64_END>>. After decoding the JPG file, we obtained a .NET execution file. This file establishes persistence by configuring the registry key “HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionRun” and checks for any virtual environments. It then downloads encoded data from the “nanoshield.pro/files” URL, reverses the data, replaces the specific string “DgTre,” and employs “RegAsm” to proxy the execution of NanoCore.
Figure 29: Decoded JPG file loads the malware for the next stage
Figure 30: Encoded data from nanoshield.pro/files
Figure 31: NanoCore
Plugin 3 – XWorm
XWorm is a RAT that spreads through removable drives like USB flash drives, infecting Windows systems. It can steal information or allow remote access. Figure 32 shows the plugin from VenomRAT’s C2 server with the filename “xwrm3.1.vbs” at the end of the packet.
Figure 32: Plugin data from VenomRAT’s C2 server
Figure 33: Decoded VBS script
Figure 34: XWorm
In addition to the VBS file, we retrieved another “plug_in” containing a batch script attempting to execute PowerShell commands. It downloads encoded data from “hxxps://kisanbethak[.]com/K/Universallsningen.lpk.”
Figure 35: Batch script to execute Guloader PowerShell
Figure 36: Website with encoded data
The next stage of the PowerShell code resides at the end of the decoded “Universallsningen.lpk” file. Despite containing numerous junk comments to obfuscate analysis, the PowerShell script uses the Process Hollowing technique to inject shellcode into a legitimate process. Following injection and environment verification, the shellcode executes the final malware, XWorm. In this attack scenario, GuLoader also deploys NanoCore and Remcos.
Figure 37: PowerShell script in the decoded “Universallsningen.lpk”
Plugin 4 – Remcos
Remcos is a Remote Access Trojan (RAT) first appearing in 2016. It is marketed as legitimate software for remote management but is often used maliciously. Remcos can give attackers complete control over an infected system, allowing them to capture keystrokes, screenshots, credentials, and other sensitive information. It is typically delivered via malicious documents or archive files and has been seen in phishing campaigns. This plugin was distributed from VenomRAT’s C2 using three methods: an obfuscated VBS script named “remcos.vbs”, ScrubCrypt, and Guloader PowerShell.
Figure 38: Plugin data from VenomRAT’s C2 server
Figure 39: The de-obfuscated VBS script
Figure 40: ScrubCrypt .NET file loads Remcos from resource data “P”
Figure 41: Guloader PowerShell
The configuration for Remcos is RC4 encrypted in the “SETTINGS” resource, and the decrypted data is shown in Figure 42.
Figure 42: Decrypted configuration
Plugin 5 – Stealer
This plugin is not only deployed via the obfuscated VBS script mentioned in the previous section but it is also embedded in a .NET execution file obfuscated using SmartAssembly. The .NET execution file decodes the next stage payload from the Resource file “ach” and writes the data into the memory.
Figure 43: Write payload in memory
It then copies itself to the TEMP folder and sets this copied file to the scheduled task named “Nano.” This task repeats every 10 minutes after the first trigger.
Figure 44: Copy itself and schedule a task
The next stage payload is more straightforward. It contains a hardcoded array for the malicious DLL file for stealing the victim’s sensitive data.
Figure 45: Main function
Figure 46: Hardcoded payload
The DLL file stores its configuration in Base64 encoded data, including the C2 hostname and the certificate to encrypt the communication.
Figure 47: Decoded configuration
This DLL file keeps monitoring the user’s system and aims for specific crypto wallets, Foxmail, and telegram data by performing the following tasks repeatedly:
1. Gathers details about the victim’s environment, such as the PC name, username, antivirus software, disk information, and operating system version.
2. Verifies the existence of the following paths: “”%AppData%atomicLocal Storageleveldb” “%AppData%Electrumwallets,” “%AppData%Ethereumkeystore,” “%AppData%Exodusexodus.wallet,” “%AppData%com.liberty.jaxxIndexedDB,” “%AppData%Zcash,” “%AppData%Foxmail” and “%AppData%Telegram DesktopTelegram.exe”.
3. Checks if the following registry exists: “SoftwareBitcoinBitcoin-Qt,” “SoftwareDashDash-Qt” and “SoftwareLitecoinLitecoin-Qt. “
4. Once collected, the targeted data sends the data appended with the execution file path at the end to the C2 server, “markjohnhvncpure[.]duckdns.org.”
Conclusion
This analysis reveals a sophisticated attack leveraging multiple layers of obfuscation and evasion techniques to distribute and execute VenomRAT via ScrubCrypt. The attackers employ a variety of methods, including phishing emails with malicious attachments, obfuscated script files, and Guloader PowerShell, to infiltrate and compromise victim systems. Furthermore, deploying plugins through different payloads highlights the versatility and adaptability of the attack campaign.
The attackers’ ability to persist in the system, evade detection, and execute malicious payloads underscores the importance of robust cybersecurity measures and vigilant monitoring to mitigate such threats effectively.
Fortinet Protections
The malware described in this report is detected and blocked by FortiGuard Antivirus as:
W32/Rescoms.U!tr
MSIL/NanoCore.K!tr
MSIL/Kryptik.TPQ!tr
MSIL/Kryptik.AKNE!tr
MSIL/Kryptik.AKCI!tr
MSIL/Kryptik.AHUA!tr
MSIL/GenericKD.70765425!tr
MSIL/GenericKD.61253965!tr
MSIL/Agent.VIC!tr
MSIL/Agent.SUB!tr
MSIL/Agent.PEP!tr.dldr
MSIL/Agent.CTE!tr
MSIL/Agent.CFQ!tr
JS/Agent.PIJ!tr
BAT/Agent.B7E9!tr
BAT/Agent.ARX!tr.dldr
VBS/Agent.IFT!tr
PowerShell/Agent.2C1B!tr
FortiGate, FortiMail, FortiClient, and FortiEDR support the FortiGuard AntiVirus service. The FortiGuard AntiVirus engine is part of each of these solutions. As a result, customers who have these products with up-to-date protections are protected.
The FortiGuard CDR (content disarm and reconstruction) service can disarm the malicious macros in the document.
We also suggest that organizations go through Fortinet’s free NSE training module: NSE 1 – Information Security Awareness. This module is designed to help end users learn how to identify and protect themselves from phishing attacks.
FortiGuard IP Reputation and Anti-Botnet Security Service proactively block these attacks by aggregating malicious source IP data from the Fortinet distributed network of threat sensors, CERTs, MITRE, cooperative competitors, and other global sources that collaborate to provide up-to-date threat intelligence about hostile sources.
If you believe this or any other cybersecurity threat has impacted your organization, please contact our Global FortiGuard Incident Response Team.
IOCs
C2
hjkdnd[.]duckdns[.]org
mup830634[.]duckdns[.]org
markjohnhvncpure[.]duckdns[.]org
homoney177[.]duckdns[.]org
febvenom8[.]duckdns[.]org
rachesxwdavid[.]duckdns[.]org
URLs
hxxps://nanoshd[.]pro/files/new_image.jpg?14441723
hxxps://nanoshield[.]pro/new_image2.jpg?166154725
hxxps://kisanbethak[.]com/P/
hxxps://kisanbethak[.]com/K/
Files
06779e1015bd7dd2012ad03f7bb3f34e8d99d6ca41106f89cb9fb1ec46fe034e
0b5631041336a58ab859d273d76c571dd372220dfa1583b597a2fe5339ad4bf7
0f1d6aab547ceca6e71ac2e5a54afdaea597318fe7b6ca337f5b92fdff596168
2373840bc455d601551304ec46c281b218e90a91dce3823709c213814636e899
258578c03ca314ac3a636a91e8b3245230eae974cf50799d89b3f931e637014c
411ad772af94a042413af482a2ef356d3217bcc5123353e3c574347cb93e3d5a
4a4b5c22c877437c359ef2acaeeb059881da43b11798581cf2f31c2c83fc3418
4cda23993d793ef070be7b9066f31a45b10c1e72d809f4a43726da977a0069d8
51ecf11a64e934409bfada2b6f0c4d89c3420ca95640bc88f928906e6f0b4832
53a522051e0319176dece493b7e2543135ed41c402adbfeda32a5f6be7d68175
546a85e384ced3d4535bad16a877ecd36a79849c379c5daa357689116f042c1b
5c5caa3182d6b121c1445d6ca81134ec262cd5ea4f9ef1944f993b63d1987647
5f1746b4bd8d94d4d3feb1e2d4a829b6c3bab9341e272341f4b3a1da01d20745
6aaff578555cb82159a9c16a159f0437c39b673744e0c537c4b7f0f67f56c5d9
6ac5c7284aaa0c195723df7a78ae610a7ee096b3b5bc19f6838451acd438116e
71a22bed7ab5a26158fc1cf1b7bb87146254672483aad72736817ff16e656c7b
7d7a710e3c0e5da830213f9b72f44a72d721adcf17abc838f28286dde8a1e8d9
7d9c8d44554ee10310805920afb51249a1e8cd3e32b430e8c9638fec316913d3
85790dad1a0af5febd7d90e0ec9ce680ec87dcc31a94a25bfb454bb121164bfd
8e97019f8c4712f1fc9728c4706112a5ef85a05aa809985709faef951925e094
94b2e06e45407f193cfe58e18f5c250bbd1b8e857a754f1c366913129b9dada7
bee35a9d30d6f69cd6d173c6a6a93110cac59ab3710e32eced6f266581e88b87
cd1364d8c7f6f0246ed91cd294e2e506e7c94ba2f9a33c373c6fcfe04bbe17e7
d04bf1a9f6014bf4bcdb3ac4eb6d85bcc4159ae25a7f00c4493cbcb8e892e159
d05ad3dc62e1dc45fd31dc2382c1ea5e5f26f4f7692cb2ef8fd1c6e74b69fa16
dc2c1694d363d78cdfed0574cf51413b9b48d932e076033bb76cf69a4470b7e9
dceea68a037376b323d2a934f9fdc59bfbd2c2c0ed66014bdf059f403f4dc6f2
e190d172b7d3c7f1055052f0ed3da5d5979a8a2b622ca2fbcea90774a5bf6008
f02c04bc428694a11917375f41ecb7c7aa326cf242b4c56ed1e7b3ae14d5dd68
f4164be3d357682754559aa32ea74c284eee64140d3f56a63a225d5de10d051c
Source: Original Post