Cyber Security News

Hackers Exploit Hard Disk Image Files to Deploy VenomRAT

In a recent cybersecurity threat, hackers have been using virtual hard disk image files (.vhd) to distribute the VenomRAT malware, exploiting a novel technique to bypass security measures.

This campaign begins with a phishing email that uses a purchase order as a lure, enticing users to open an attached archive file.

Upon extraction, the archive reveals a .vhd file, which mounts itself as a hard disk drive when opened.

Inside this virtual drive is a batch script that executes malicious activities using PowerShell, ultimately sending sensitive information to command and control (C2) servers.

The VenomRAT Attack Chain

The attack chain involves several stages. Initially, the phishing email tricks users into opening the .vhd file.

VenomRAT email

Once mounted, the file executes a batch script that is heavily obfuscated with garbage characters, Base64, and AES encryption.

This script spawns a PowerShell process to perform further malicious actions.

It creates a copy of itself in the user’s directory, modifies system registries, and drops a cmd script in the Startup folder to ensure persistence.

The script also connects to Pastebin.com, where C2 information is stored, and drops a file named DataLogs.conf in the AppData/Roaming directory.

This file is used to capture keystrokes and other sensitive data, which are then sent to the C2 servers.

The execution of the batch script involves several key activities.

Batch file

It creates a .NET compiled executable along with a config file, which acts as a dependency for network connections and performs system checks.

The config file reveals the presence of VenomRAT using HVNC service and specifies an AES key used for decryption.

The malware exploits legitimate services like Pastebin to host its C2 infrastructure, making it challenging to detect.

Protection and Mitigation

To combat this threat, cybersecurity solutions like those offered by Forcepoint can protect against various stages of the attack.

These include identifying and blocking malicious attachments, blocking URLs that download further payloads, adding dropper files to malicious databases, and categorizing C2 servers under security categories to block them.

Users are advised to be cautious with email attachments and to use robust security software to detect and prevent such threats.

As RATs continue to evolve, staying vigilant and employing advanced security measures is crucial to mitigate these sophisticated attacks.

Are you from SOC/DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.

Aman Mishra

Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Recent Posts

Fake Coinbase Migration Messages Target Users to Steal Wallet Credentials

A sophisticated phishing campaign is currently targeting cryptocurrency investors with fraudulent emails claiming to be…

1 hour ago

Electromagnetic Side-Channel Analysis of Cryptographically Secured Devices

Electromagnetic (EM) side-channel analysis has emerged as a significant threat to cryptographically secured devices, particularly…

1 hour ago

MirrorGuard: Adaptive Defense Mechanism Against Jailbreak Attacks for Secure Deployments

A novel defense strategy, MirrorGuard, has been proposed to enhance the security of large language…

2 hours ago

New ClearFake Variant Uses Fake reCAPTCHA to Deploy Malicious PowerShell Code

A recent variant of the ClearFake malware framework has been identified, leveraging fake reCAPTCHA and…

2 hours ago

New BitM Attack Enables Hackers to Hijack User Sessions in Seconds

A recent threat intelligence report highlights the emergence of a sophisticated cyberattack technique known as…

5 hours ago

Bybit Hack: Details of Sophisticated Multi-Stage Attack Uncovered

The Bybit hack, which occurred on February 21, 2025, has been extensively analyzed by multiple…

5 hours ago