The Invisible Thread: Inside the Multi-Stage Python Injection Powering VioletRAT

Security vanguards at SonicWall have unmasked a nascent campaign disseminating the VioletRAT malware. This offensive orchestrates a multi-tiered delivery sequence and a sophisticated Python-based code injection paradigm. The adversaries employ several stages of clandestine loading and payload detonation to cement a systemic foothold and circumvent Windows defensive matrices.

The incursion commences with a missive harboring a compressed archive. Within lies a profoundly obfuscated BAT file, preserved in UTF-16LE encoding; consequently, upon inspection via standard text editors, the script manifests as a nonsensical collection of characters. Such an artifice effectively veils the script’s intent and diminishes the probability of detection.

Upon execution, the BAT file surreptitiously invokes PowerShell and navigates to google.com to mask its activity. Simultaneously, the script retrieves a did.zip archive from cloud storage, sequestering it within the %USERPROFILE%/Contacts/dad directory. Concurrently, an auxiliary start.bat script is ingested into the Windows startup folder, ensuring the malignant code’s perpetual resurrection upon every systemic boot.

The subsequent phase involves the detonation of a Python script, stry.py. The archive contains several cardinal components: encrypted shellcode within nou.bin, decryption keys in a.txt, and a suite of auxiliary Python libraries. The script meticulously masquerades data types, API nomenclatures, and function parameters, internally identifying itself as the “Advanced Payload Executor.”

The script assembles the keys from a.txt, synthesizing them through a series of transformations to unshackle the shellcode. The key is first inverted, followed by a XOR operation, and the resulting compressed block is expanded via the zlib.decompress function. Once prepared, the code is intravenously injected into the explorer.exe process, executed through the systemic APIs ResumeThread and WaitForSingleObject.

The shellcode persists in its clandestine loading mission, dynamically unearthing function addresses within ntdll.dll and kernel32.dll. It proceeds to decrypt a secondary data block and ingests a repertoire of libraries, including oleaut32.dll and wininet.dll. A dedicated stage is consecrated to the deactivation of the Antimalware Scan Interface (AMSI); the code ruthlessly overwrites the AmsiScanBuffer and AmsiScanString functions, coercing them to invariably return a “benign” result.

Following the subversion of these defensive mechanisms, the loader ignites a .NET environment directly within the host process. Utilizing CLR Hosting, the native process is empowered to govern the .NET execution environment, creating a nascent application domain to launch the executable via internal CLR mechanisms.

The ultimate payload is the VioletRAT remote access trojan. Operating under a malware-as-a-service model, it bestows absolute dominion over the compromised architecture upon the operator. The command console encompasses device management, network instruments, and the capacity to sabotage Windows Defender.

According to SonicWall, this nascent loader architecture underscores the burgeoning complexity of the VioletRAT infrastructure and its increasingly advanced stratagems for eluding Windows security protocols.