PureHVNC Deployed via Python Multi-stage Loader

Aug. 9, 2024, 11:39 a.m.

Description

FortiGuard Labs uncovered a sophisticated attack campaign utilizing multiple obfuscation and evasion techniques to distribute and execute various malware, including VenomRAT, XWorm, AsyncRAT, and PureHVNC. The campaign starts with a phishing email containing a malicious attachment that initiates a series of harmful activities. All the malware employs packing and obfuscation tools like Kramer, donut, and laZzzy to conceal their presence. The analysis focuses on the PureHVNC malware, which collects victim information, targets crypto wallets, password managers, and two-factor authenticators, and can execute additional plugins for remote desktop control and execution.

Date

Published: Aug. 9, 2024, 11:25 a.m.

Created: Aug. 9, 2024, 11:25 a.m.

Modified: Aug. 9, 2024, 11:39 a.m.

Indicators

d4e8bf427c196d1d5ffca52a5af7162cc5cf4df730ee3fe65b4381ac79662a15

b393323b9834656a2999198d4f02c1a159c6034d3c20c483d22a30aab3810c0c

95a33ba5550747baf72e39b020e6215b6047983eda17250408cd6f4c16a93089

8d28191f647572d5e159f35ae55120ddf56209a18f2ca95a28d3ca9408b90d68

7c4e613cf4db19f54030097687227809f965a951a26a44a882692ece6e642e3c

72ce64d50f9aa15b21631307d2143f426364634a7a2ee4b401ef76bd88c4ff3b

71b797032458aab9b4a1a203e7ca413f009af1961cffb98590e34f672574599a

561f4b4e2c16f21b0db015819340fc59484e4994022c4cca46cf778006d5d441

503ce7bcefdffb96b5de78254f947598a410b86d3aaf597c7334e248c46dae5b

2b7ee0ccfa45d2f53098cd8aa4ce73cb00ace462d8490e6843bf05cd07854553

16a4de0540181bab7c5d25fcdf90838a28f2dff4ed9e0e37de3f5f1ab20afe0a

vxsrwrm.duckdns.org

xoowill56.duckdns.org

ghdsasync.duckdns.org

float-suppose-msg-pulling.trycloudflare.com

drvenomjh.duckdns.org

ncmomenthv.duckdns.org

anachyyyyy.duckdns.org

Attack Patterns

PureHVNC

VenomRAT

XWorm

AsyncRAT

T1547.003

T1559.001

T1021.001

T1053.005

T1055.002

T1059.001

T1547.001

T1105

T1566.001

T1027