VenomRAT Strikes: SVG Phishing Campaign Deploys Dangerous RAT

Cybersecurity specialists have uncovered a sophisticated multi-stage attack employing phishing messages themed around invoices to disseminate various types of malicious software, including Venom RAT, Remcos RAT, XWorm, NanoCore RAT, and different info stealers targeting cryptocurrency wallets.

According to researchers at Fortinet, perpetrators dispatch emails containing attachments in the Scalable Vector Graphics (SVG) format. Opening such files initiates the infection chain.

A notable feature of this attack is the use of the BatCloak obfuscation tool, along with ScrubCrypt, to deliver malware in the form of obfuscated batch scripts.

BatCloak, available on dark web forums since late 2022 and based on the Jlaive tool, primarily functions to download the next stage of the payload in a manner designed to circumvent traditional detection mechanisms. The crypter ScrubCrypt, first documented by researchers in March 2023, is also considered a variant of BatCloak.

In the latest campaign analyzed by specialists, the aforementioned SVG file serves as a conduit for transmitting a ZIP archive containing a batch script, likely created using BatCloak. The script then unpacks the ScrubCrypt batch file to ultimately launch Venom RAT, but not before establishing persistence in the system and taking steps to evade AMSI and ETW protections.

Venom RAT, a derivative of Quasar RAT, enables attackers to control infected systems, gather confidential information, and execute commands received from the control server.

“The core Venom RAT program may seem simplistic, but it supports communication channels with the C2 server to receive additional plugins, expanding the potential range of malicious activities,” states security researcher Kara Lin.

An info stealer is also delivered via the plugin system, collecting information about the system and exfiltrating data from folders associated with cryptocurrency wallets and applications like Atomic Wallet, Electrum, Ethereum, Exodus, Jaxx Liberty, Zcash, Foxmail, and Telegram.

“Our analysis reveals a complex attack that uses multi-layered obfuscation and evasion methods to distribute and execute VenomRAT via ScrubCrypt,” adds Lin.

Perpetrators employ various methods, including phishing emails with malicious attachments, obfuscated script files, and PowerShell GuLoader, to infiltrate and compromise victims’ systems. Moreover, the deployment of plugins through different payloads underscores the versatility and adaptability of this malicious campaign.

A similar incident, which we covered just yesterday, demonstrates analogous tactics of disseminating malware through phishing campaigns themed around invoices, targeting corporate networks.

In today’s world, a simple click on an unverified attachment can lead to severe consequences, including the leakage of confidential data and financial losses. Thus, it is critically important to continually update one’s cybersecurity knowledge and utilize all available protective measures to minimize the risks posed by virtual threats.