Cybersecurity experts have discovered a complex multi-stage attack that uses phishing messages with the theme of invoices to spread a variety of malicious software, including Venom Rat, Remcos Rat, XWORM, NANOCORE RAT, and various infostillers aimed at cryptocurrency wallets.
According to Fortinet researchers, attackers send phishing emails with attachments containing Scalable Vector Graphics (SVG) files. Upon opening these files, a chain of infection is activated.
A distinctive feature of the attack is the use of a tool called BatCloak for obfuscating malicious scripts and Scrubcrypt for delivering these obscured scripts.
BatCloak, based on the Jlaive tool, has been active in shadow forums since the end of 2022. Its primary function is to load the next stage of the payload in a way that evades traditional detection mechanisms. SCRUBCRYPT cryptor, first exploited by researchers in March 2023, is also associated with BatCloak.
In the latest campaign analyzed by specialists, a ZIP archive within the SVG file contains a package script, likely generated using BatCloak. This script then executes the SCRUBCRYPT package file to deploy Venom Rat, ensuring persistence in the system while bypassing security measures.
Venom Rat, a variant of Quasar Rat, enables attackers to control infected systems, gather sensitive data, and execute commands from a control server. Security researcher Kara Lin notes, “The main Venom Rat program may appear simple, but it supports communication channels with the C2 server to fetch additional plugins, expanding its malicious capabilities.”
Additionally, an infostiller is delivered through the plugin system, which gathers system information and targets folders associated with cryptocurrency applications such as Atomic Wallet, Electrum, Ethereum, Exodus, Jaxx Liberty, Zcash, Foxmail, and Telegram.
“Our analysis reveals a sophisticated attack leveraging multi-layered evasion methods to propagate and execute Venom Rat using Scrubcrypt,” mentions Lin.
Attackers employ various tactics, including phishing emails, malicious attachments, scripting files, and PowerShell Gluoader to infiltrate and compromise victims. The deployment of plugins through diverse delivery mechanisms showcases the adaptability and versatility of this malicious campaign.