A Multi-Stage Cyber Attack with Invoice-Themed Phishing

New Threats in the Wild

Cybersecurity researchers recently uncovered a complex multi-stage cyber attack that uses invoice-themed phishing decoys to deliver a diverse range of malware, including Venom RAT, Remcos RAT, XWorm, NanoCore RAT, and even a stealer targeting cryptocurrency wallets.

The Phishing Bait

The attack begins with email messages containing Scalable Vector Graphics (SVG) file attachments. These attachments serve as the initial lure, enticing recipients to click on what appears to be legitimate invoice-related content. However, doing so triggers a carefully crafted infection sequence. According to a technical report by Fortinet FortiGuard Labs, the infection uses a variety of tools to obfuscate its payload and evade traditional security mechanisms.

BatCloak and ScrubCrypt: The Obfuscation Engine and Crypter

Central to this attack is the use of the BatCloak malware obfuscation engine and ScrubCrypt, a crypter. BatCloak, introduced in late 2022 and based on a predecessor tool called Jlaive, is designed to load the next-stage payload in a way that circumvents conventional malware detection methods. This allows attackers to deliver malicious software without raising immediate suspicion.

ScrubCrypt, a crypter initially documented by Fortinet in March 2023 in connection with a cryptojacking campaign by the 8220 Gang, is believed to be a later iteration of BatCloak. The combination of these tools creates a formidable defense-evading mechanism that complicates detection efforts.

The Malware Distribution Mechanism

In this latest campaign, the SVG file attachment acts as a gateway to drop a ZIP archive containing a batch script. This script, likely created using BatCloak, then unpacks another ScrubCrypt batch file, which ultimately executes Venom RAT. Before doing so, the script establishes persistence on the host system and bypasses Windows protections like AMSI (Antimalware Scan Interface) and ETW (Event Tracing for Windows).

Venom RAT, a fork of Quasar RAT, is a Remote Access Trojan that allows attackers to take control of the compromised system, collect sensitive information, and execute commands from a remote command-and-control (C2) server. It can also communicate with the C2 server to download additional plugins for different tasks, including keylogging, data exfiltration, and remote execution of additional malware like NanoCore RAT, XWorm, and Remcos RAT.

Gathering Information and Stealing Cryptocurrency

The plugin system in Venom RAT facilitates the delivery of additional malicious software, including a stealer that collects data from folders related to various cryptocurrency wallets and applications like Atomic Wallet, Electrum, Ethereum, Exodus, Jaxx Liberty, Zcash, and Telegram. This stolen data is then exfiltrated to a remote server, providing attackers with access to potentially valuable digital assets.

A Sophisticated Multi-Stage Attack

Security researcher Cara Lin notes that this attack represents a sophisticated approach, leveraging multiple layers of obfuscation and evasion techniques. By combining phishing emails with malicious attachments, obfuscated script files, and Guloader PowerShell, the attackers can infiltrate and compromise target systems. The deployment of plugins through different payloads showcases the versatility and adaptability of this attack campaign.

Protecting Against This Threat

Given the complexity and adaptability of this attack, it is critical to implement comprehensive cybersecurity measures. Organizations and individuals should be cautious when opening email attachments, especially those with unfamiliar or suspicious content. Keeping software and operating systems up to date, using robust antivirus solutions, and educating users about phishing tactics are key steps to reduce the risk of falling victim to these attacks.