Cyber Security News

Hackers Exploit Hard Disk Image Files to Deploy VenomRAT

In a recent cybersecurity threat, hackers have been using virtual hard disk image files (.vhd) to distribute the VenomRAT malware, exploiting a novel technique to bypass security measures.

This campaign begins with a phishing email that uses a purchase order as a lure, enticing users to open an attached archive file.

Upon extraction, the archive reveals a .vhd file, which mounts itself as a hard disk drive when opened.

Inside this virtual drive is a batch script that executes malicious activities using PowerShell, ultimately sending sensitive information to command and control (C2) servers.

The VenomRAT Attack Chain

The attack chain involves several stages. Initially, the phishing email tricks users into opening the .vhd file.

VenomRATVenomRAT
VenomRAT email

Once mounted, the file executes a batch script that is heavily obfuscated with garbage characters, Base64, and AES encryption.

This script spawns a PowerShell process to perform further malicious actions.

It creates a copy of itself in the user’s directory, modifies system registries, and drops a cmd script in the Startup folder to ensure persistence.

The script also connects to Pastebin.com, where C2 information is stored, and drops a file named DataLogs.conf in the AppData/Roaming directory.

This file is used to capture keystrokes and other sensitive data, which are then sent to the C2 servers.

The execution of the batch script involves several key activities.

Batch file

It creates a .NET compiled executable along with a config file, which acts as a dependency for network connections and performs system checks.

The config file reveals the presence of VenomRAT using HVNC service and specifies an AES key used for decryption.

The malware exploits legitimate services like Pastebin to host its C2 infrastructure, making it challenging to detect.

Protection and Mitigation

To combat this threat, cybersecurity solutions like those offered by Forcepoint can protect against various stages of the attack.

These include identifying and blocking malicious attachments, blocking URLs that download further payloads, adding dropper files to malicious databases, and categorizing C2 servers under security categories to block them.

Users are advised to be cautious with email attachments and to use robust security software to detect and prevent such threats.

As RATs continue to evolve, staying vigilant and employing advanced security measures is crucial to mitigate these sophisticated attacks.

Are you from SOC/DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.

Aman Mishra

Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Recent Posts

Top Ransomware Groups Target Financial Sector, 406 Incidents Revealed

Flashpoint analysts have reported that between April 2024 and April 2025, the financial sector emerged…

1 hour ago

Agenda Ransomware Group Enhances Tactics with SmokeLoader and NETXLOADER

The Agenda ransomware group, also known as Qilin, has been reported to intensify its attacks…

1 hour ago

SpyCloud Analysis Reveals 94% of Fortune 50 Companies Have Employee Data Exposed in Phishing Attacks

SpyCloud, the leading identity threat protection company, today released an analysis of nearly 6 million…

2 hours ago

PoC Tool Released to Detect Servers Affected by Critical Apache Parquet Vulnerability

F5 Labs has released a new proof-of-concept (PoC) tool designed to help organizations detect servers…

3 hours ago

Healthcare Sector Becomes a Major Target for Cyber Attacks in 2025

The healthcare sector has emerged as a prime target for cyber attackers, driven by the…

4 hours ago

SysAid ITSM Vulnerabilities Enables Pre-Auth Remote Command Execution

Security researchers have disclosed a chain of critical vulnerabilities affecting SysAid ITSM’s On-Premise solution, enabling…

4 hours ago