From Malspam to DesckVB RAT Deployment

Summary

The report outlines a malspam campaign that culminates in deployment of the DesckVB RAT through a layered infection chain. The attack begins with a DoubleClick redirect and a custom HTML lure, then moves through a JScript loader, multiple PowerShell stages, and a .NET reflective loader that injects the final RAT into signed Microsoft binaries. Once active, the malware establishes persistence, weakens Windows security controls, and communicates with its command-and-control infrastructure over encrypted TCP channels.

Investigation

Huntress analysts observed the execution of a malicious JScript file through wscript.exe, followed by heavily obfuscated PowerShell that generated additional scripts and retrieved .NET payloads. The .NET loader carried out anti-analysis checks, disabled antivirus and Microsoft Defender protections, created Run registry entries and scheduled tasks, and used InstallUtil.exe or MSBuild.exe for process hollowing. Configuration analysis exposed two DDNS-based command-and-control hosts, a hard-coded AES password, and GPU enumeration logic that may support future cryptomining activity.

Mitigation

Organizations should block the known malicious domains and DoubleClick tracking URLs, enforce safer handling of .js, .vbs, and .hta files, and configure script files to open in a text editor instead of executing directly. Email protections such as DMARC, DKIM, and SPF should be enabled, and attachments and links should be sandboxed where possible. Defenders should also monitor for unauthorized Microsoft Defender exclusions and detect reflective loading into signed binaries.

Response

Security teams should alert on wscript.exe launching scripts from public or user-writable directories, PowerShell activity using the legacy IE8 user-agent, and creation of suspicious Run or RunOnce registry keys or scheduled tasks. The malicious ZIP archive and related artifacts should be quarantined, the affected endpoint isolated, and a full forensic investigation conducted to remove the RAT and all associated persistence mechanisms.

Simulation Execution

Prerequisite: The Telemetry & Baseline Pre‑flight Check must have passed.

Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic. Abstract or unrelated examples will lead to misdiagnosis.

Attack Narrative & Commands

1. Stage 1 – Deliver malicious JavaScript payload
   The attacker drops ktncm.js (the DesckVB RAT bootstrap) into C:UsersPublic.
2. Stage 2 – Execute the JavaScript via wscript.exe
   This creates a process with Image *\wscript.exe and CommandLine containing the full path to ktncm.js.
3. Stage 3 – Launch a PowerShell loader with execution‑policy bypass
   The JavaScript spawns powershell.exe -ExecutionPolicy Bypass -File <loader>.ps1, matching the selection_ps pattern.
4. Stage 4 – Use a Microsoft‑signed binary (installutil.exe) to load the embedded .NET RAT DLL
   The PowerShell loader invokes installutil.exe with the RAT assembly as argument, satisfying selection_installutil.
5. Stage 5 – Ensure MSBuild.exe is not the sole process (the rule explicitly negates pure MSBuild usage).

The combined telemetry (wscript → powershell → installutil) satisfies selection_js and (selection_ps or selection_installutil) and not selection_msbuild, thus firing the alert.

Regression Test Script

The script below reproduces the exact chain on a Windows host. Run as Administrator.

# --------------------------------------------------------------
# DesckVB RAT simulation script – triggers the Sigma rule
# --------------------------------------------------------------

# 1. Create malicious JavaScript (placeholder payload)
$jsPath = "C:UsersPublicktncm.js"
Set-Content -Path $jsPath -Value @"
WScript.Echo('Launching RAT...');
var shell = WScript.CreateObject('WScript.Shell');
shell.Run('powershell.exe -ExecutionPolicy Bypass -File C:UsersPublicloader.ps1', 0, false);
"@

# 2. Create PowerShell loader (simulated obfuscated command)
$psPath = "C:UsersPublicloader.ps1"
Set-Content -Path $psPath -Value @"
# Simulated obfuscation: base64‑encoded command that runs the RAT DLL via InstallUtil
$encoded = 'JABzAGUAcwB0ACAAKABJAG4zdABkAHUAdABlAHIASWUAbwA=' # dummy
$bytes = [Convert]::FromBase64String($encoded)
$command = [System.Text.Encoding]::Unicode.GetString($bytes)
# In a real attack this would be: installutil.exe C:UsersPublicRAT.dll
Write-Output 'Pretend to run InstallUtil with RAT DLL'
"@

# 3. Execute the malicious JavaScript via wscript.exe
Start-Process -FilePath "$env:SystemRootSystem32wscript.exe" -ArgumentList "`"$jsPath`"" -WindowStyle Hidden

# 4. Simulate InstallUtil execution (this step is *not* actually performed, but we
#    spawn the process to generate the expected telemetry)
Start-Process -FilePath "$env:SystemRootMicrosoft.NETFramework64v4.0.30319installutil.exe" `
    -ArgumentList "/LogFile= /LogToConsole=false C:UsersPublicRAT.dll" -WindowStyle Hidden

# --------------------------------------------------------------
# End of simulation – the above processes produce the exact
# EventID=1 logs that match the Sigma rule.
# --------------------------------------------------------------

Cleanup Commands

# Remove artifacts
Remove-Item -Path "C:UsersPublicktncm.js","C:UsersPublicloader.ps1","C:UsersPublicRAT.dll" -Force -ErrorAction SilentlyContinue

# Stop any lingering installutil or wscript processes (if still running)
Get-Process -Name wscript, installutil -ErrorAction SilentlyContinue | Stop-Process -Force

End of Report