VHDs Used to Distribute VenomRAT and Other Malware

SUMMARY :

A phishing campaign is utilizing virtual hard disk (VHD) image files to deliver VenomRAT malware. The attack begins with a purchase order-themed email containing a ZIP archive with a VHD file. When opened, the VHD mounts as a drive and executes a heavily obfuscated batch script. This script employs PowerShell to perform malicious activities, including dropping files in the Startup folder for persistence, modifying registries, and connecting to Pastebin for C2 communication. The malware creates a DataLogs.conf file to capture keystrokes and sensitive data, which is then exfiltrated to the C2 server. The campaign also utilizes AES encryption and multiple layers of obfuscation to evade detection.

OPENCTI LABELS :

powershell,keylogger,phishing,venomrat,obfuscation,persistence,aes encryption,vhd


Open in NetmanageIT OpenCTI Public Instance with below link!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


VHDs Used to Distribute VenomRAT and Other Malware