A phishing campaign is utilizing virtual hard disk (VHD) image files to deliver VenomRAT malware. The attack begins with a purchase order-themed email containing a ZIP archive with a VHD file. When opened, the VHD mounts as a drive and executes a heavily obfuscated batch script. This script employs PowerShell to perform malicious activities, including dropping files in the Startup folder for persistence, modifying registries, and connecting to Pastebin for C2 communication. The malware creates a DataLogs.conf file to capture keystrokes and sensitive data, which is then exfiltrated to the C2 server. The campaign also utilizes AES encryption and multiple layers of obfuscation to evade detection. Author: AlienVault
Related Tags:
aes encryption
T1102.001
T1566.001
T1132.001
T1056.001
Obfuscation
T1547.001
T1059.001
T1059.003
Associated Indicators:
74262A750437B80ED15AECA462172B50D87096E5
DDC7315A3903974624DFD750A374C37C9C67C6DD