VenomRAT Detection: A New Multi-Stage Attack Using ScrubCrypt to Deploy the Final Payload with Malicious Plugins

Cybersecurity researchers have unveiled a novel sophisticated multi-stage attack, in which adversaries take advantage of the ScrubCrypt anti-malware evasion tool to drop VenomRAT along with multiple harmful plugins, including nefarious Remcos, XWorm, NanoCore RAT, and other malicious strains.

Detect VenomRAT Deployed via ScrubCrypt 

With cyber-attacks proliferating and employing increasingly sophisticated intrusion methods, cyber defenders require advanced solutions to bolster their cyber defense capabilities at scale. SOC Prime Platform for collective cyber defense offers cutting-edge technology for threat detection and hunting while serving the world’s largest repository of behavior-based detections against the latest TTPs. 

To spot the malicious activity associated with the latest ScrubCrypt campaign, security professionals might rely on a curated detection stack available in the SOC Prime Platform. Just hit the Explore Detection button below and immediately drill down to the relevant Sigma rules list compatible with 28 SIEM, EDR, and Data Lake technologies. All the detections are mapped to MITRE ATT&CK framework v14.1 and enriched with tailored threat intelligence.

Explore Detections

Additionally, cybersecurity experts might explore a set of detection content addressing VenomRAT attacks by searching Threat Detection Marketplace with ¨VenomRAT¨ tag or using this link.

VenomRAT Spread via ScrubCrypt Attack Analysis

On April 8, 2024, FortiGuard Labs researchers issued a report shedding light on a new advanced offensive campaign launched via a phishing attack vector. Hackers employ the ScrubCrypt framework to distribute a VenomRAT payload coupled with a set of other malicious plugins employing numerous layers of obfuscation and evasion techniques.

The infection chain is triggered by phishing emails with harmful SVG files. Clicking on a lure attachment within the email leads to a ZIP archive download with a Batch file obfuscated with the BatCloak utility, which attackers have long used for detection evasion. Further on, hackers apply ScrubCrypt to spread VenomRAT and more harmful plugins on the compromised systems while establishing a connection with the C2 server. 

The initial payload delivered via ScrubCrypt serves two main objectives: establishing persistence and loading the targeted malware. VenomRAT, a modified iteration of a nefarious Quasar RAT, has been spotted in the cyber threat arena since 2020. Adversaries apply it to illicitly access and take control over the affected systems. Similar to other RATs, VenomRAT empowers attackers to manipulate compromised devices remotely, facilitating various malicious activities without the victim’s awareness or authorization.

In addition to VenomRAT, hackers spread NanoCore RAT across impacted instances using an obfuscated VBS file. They also drop XWorm RAT, malware capable of stealing sensitive data or enabling remote access. The fourth plugin applied in this offensive campaign is the notorious  Remcos RAT, which has been actively leveraged in phishing campaigns against Ukraine. One more plugin from the adversary toolkit is a stealer, which is not only distributed via the above-mentioned obfuscated VBS script but is also integrated into a .NET execution file that is obfuscated using SmartAssembly. This plugin includes a hardcoded array representing the malicious DLL file intended for stealing the user’s sensitive data. The latter continuously tracks the user’s system and sets eyes on specific crypto wallets.

The emergence of similar sophisticated cyber attacks, in which adversaries display the capability to maintain persistence, evade detection, and deploy diverse payloads fuels the critical need for robust cyber defensive measures to minimize the risks of intrusions. By leveraging SOC Prime’s Attack Detective, organizations can elevate cyber defense through automated detection stack validation to preempt attacks before they strike.