A complex multi-stage attack has been uncovered by cybersecurity researchers, utilizing invoice-themed phishing decoys to distribute a variety of malware, including Venom RAT, Remcos RAT, XWorm, NanoCore RAT, and a stealer targeting crypto wallets.
According to the technical report, the attack involves email messages with Scalable Vector Graphics (SVG) file attachments. Clicking on these attachments triggers the infection sequence.
Notably, the attack employs the BatCloak malware obfuscation engine and ScrubCrypt to deliver the malware as obfuscated batch scripts. BatCloak, which has been available for sale to other threat actors since late 2022, is designed to load a next-stage payload in a way that evades traditional detection methods.
ScrubCrypt, first documented by Fortinet in March 2023 in a cryptojacking campaign linked to the 8220 Gang, is believed to be a variant of BatCloak.
In the recent campaign analyzed by the cybersecurity firm, the SVG file serves as a delivery mechanism for a ZIP archive containing a batch script likely created using BatCloak. This script unpacks the ScrubCrypt batch file to execute Venom RAT, after establishing persistence on the host and bypassing AMSI and ETW protections.
Venom RAT, a fork of Quasar RAT, enables attackers to take control of compromised systems, gather sensitive information, and execute commands from a command-and-control (C2) server. It also communicates with the C2 server to acquire additional plugins for various activities, including keylogging capabilities.
The campaign also delivers a stealer that collects system information and extracts data from folders associated with wallets and applications such as Atomic Wallet, Electrum, Ethereum, Exodus, Jaxx Liberty, Zcash, Foxmail, and Telegram, sending it to a remote server.
“This analysis reveals a sophisticated attack leveraging multiple layers of obfuscation and evasion techniques to distribute and execute VenomRAT via ScrubCrypt,” said security researcher. “The attackers use various methods, including phishing emails with malicious attachments, obfuscated script files, and Guloader PowerShell, to infiltrate and compromise victim systems. Furthermore, deploying plugins through different payloads highlights the versatility and adaptability of the attack campaign.”
To defend against multi-stage attacks like the one using invoice-themed phishing lures, it’s essential to educate employees about the dangers of opening email attachments from unknown sources. Implement email filtering solutions to detect and block malicious attachments before they reach users’ inboxes. Keep systems and software updated with the latest security patches, and use endpoint protection tools to detect and block malicious activity.