VHDs Used to Distribute VenomRAT and Other Malware
March 14, 2025, 7:29 p.m.
Description
A phishing campaign is utilizing virtual hard disk (VHD) image files to deliver VenomRAT malware. The attack begins with a purchase order-themed email containing a ZIP archive with a VHD file. When opened, the VHD mounts as a drive and executes a heavily obfuscated batch script. This script employs PowerShell to perform malicious activities, including dropping files in the Startup folder for persistence, modifying registries, and connecting to Pastebin for C2 communication. The malware creates a DataLogs.conf file to capture keystrokes and sensitive data, which is then exfiltrated to the C2 server. The campaign also utilizes AES encryption and multiple layers of obfuscation to evade detection.
Tags
Date
- Created: March 14, 2025, 10:16 a.m.
- Published: March 14, 2025, 10:16 a.m.
- Modified: March 14, 2025, 7:29 p.m.
Attack Patterns
- VenomRAT
- T1102.001
- T1132.001
- T1059.003
- T1059.001
- T1547.001
- T1056.001
- T1005
- T1566.001
- T1027
- T1112
- T1041