VHDs Used to Distribute VenomRAT and Other Malware

Threat actors always like to find new ways to deliver malware undetected to target large communities. In this blog post, I’ll cover a current technique threat actors use to bypass security measures, deliver malware, infect systems and exfiltrate data—all by using a virtual hard disk image file to host and distribute the VenomRAT malware. 

How VenomRAT Works

The VenomRAT campaign starts as phishing email that uses a purchase order as a lure to convince users to open the attachment. The email contains an archive attachment when extracted shows a hard disk Image (.vhd) file. Upon opening, the file mounts itself as a hard disk drive. This disk drive image contains a batch script that performs malicious activities using PowerShell and sends sensitive information to malicious C2s.  

VenomRAT Attack Chain: 

1- Email example:

Fig. 1 - VenomRAT email

2- ZIP archive file and its content

Fig. 2 - Archive contains .vhd image file

3- Inside the .vhd file

Fig. 3 -Batch file inside .vhd file

4- Batch file overview

The batch file present in the .vhd image file is heavily obfuscated with multiple commands and declarations.

Fig. 4 - Base64 obfuscation

Fig. 4.1 - AES encrypted data

Fig. 4.2 - Batch file obfuscation

5- Batch file de-obfuscation and analysis: 

See batch file highlighted in Figure 5 below: 

Fig. 5 - Batch file

First level of de-obfuscation removes garbage values, plus we get another level of Base64 obfuscation: 

Fig. 5.2 - First-level of deobfuscation

In Figure 5.3 below, we can see the script further uses PowerShell for further malicious activities. On decoding the next set of Base64 encodings, we observed the script follows injection techniques to drop a file to \AppData\Roaming with DataLogs.conf file name which is used to capture keystrokes and other important data that it sends to relevant C2s.

Fig. 5.3 - Second-level deobfuscation and AES decryption technique

6- Execution and analysis of batch script: 

Upon execution, the batch script follows series of activities:

• Creates its copy in “C:\Users\$userName\dwm.bat”
• Opens PowerShell
• Drops cmd script in StartUp folder
• Modifies registries
• Connects to external site Pastebin[.]com where C2 is stored
• Drops file in “C:\Users\%userprofile%\AppData\Roaming\MyData\DataLogs.conf” 

Fig. 6 - .cmd file in Startup folder

Fig. 6.1 - Pastebin.com connection

Fig. 6.2 - Malicious TCP connection to port 50037

Fig. 6.3 - DataLogs.conf in AppData/Roaming

From Figure 6.2, we observe a malicious TCP connection and creation of the DataLogs_keylog_online.txt file used to capture keystrokes and other sensitive data. And Figure  6.3 above shows presence of the DataLogs config file.

Additionally, when script is executed while PowerShell is running, it then dumps a .NET compiled executable along with config file. The .NET file acts as a dependency for network connection, performing several system checks, modification of file/folder/directory along with techniques for AES decryption. 

7-.NET file overview

Fig. 7 - .NET file

8- Config file

From the config file in Figure 8 above, we see the presence of VenomRAT using HVNC service and version 6.XX, along with AES key used in decryption.

Fig. 8 - Config file used by VenomRAT

Conclusion:

RATs like VenomRAT are pretty common these days and they will continue to use new techniques to deliver malware. In this blog post, I observed a RAT campaign delivered by a purchase order-themed phishing email. In a unique twist, hackers delivered the malware using a virtual hard disk image file to evade detection. The VHD contains a batch file that includes a series of obfuscations including garbage characters, Base64 and AES encryption files. When executed, the .BAT file spawns a PowerShell script which drops files into the Startup folder to attain persistence. It then exploits a legitimate service, Pastebin[.]com, to host C2 where the exfiltrated data is stored.  

Protection Statement:

Forcepoint customers are protected against this threat at the following stages of attack:

• Stage 2 (Lure) – Malicious attachments associated with these attacks are identified and blocked.
• Stage 3 (Redirect) – Blocked URLs which downloads further payload
• Stage 5 (Dropper File) - The dropper files are added to Forcepoint malicious database and are blocked.
• Stage 6 (Call Home) – C2 servers categorized under security category and blocked

IOCs