In a recent cybersecurity threat, hackers have been using virtual hard disk image files (.vhd) to distribute the VenomRAT malware, exploiting a novel technique to bypass security measures.
This campaign begins with a phishing email that uses a purchase order as a lure, enticing users to open an attached archive file.
Upon extraction, the archive reveals a .vhd file, which mounts itself as a hard disk drive when opened.
Inside this virtual drive is a batch script that executes malicious activities using PowerShell, ultimately sending sensitive information to command and control (C2) servers.
The attack chain involves several stages. Initially, the phishing email tricks users into opening the .vhd file.
Once mounted, the file executes a batch script that is heavily obfuscated with garbage characters, Base64, and AES encryption.
This script spawns a PowerShell process to perform further malicious actions.
It creates a copy of itself in the user’s directory, modifies system registries, and drops a cmd script in the Startup folder to ensure persistence.
The script also connects to Pastebin.com, where C2 information is stored, and drops a file named DataLogs.conf in the AppData/Roaming directory.
This file is used to capture keystrokes and other sensitive data, which are then sent to the C2 servers.
The execution of the batch script involves several key activities.
It creates a .NET compiled executable along with a config file, which acts as a dependency for network connections and performs system checks.
The config file reveals the presence of VenomRAT using HVNC service and specifies an AES key used for decryption.
The malware exploits legitimate services like Pastebin to host its C2 infrastructure, making it challenging to detect.
To combat this threat, cybersecurity solutions like those offered by Forcepoint can protect against various stages of the attack.
These include identifying and blocking malicious attachments, blocking URLs that download further payloads, adding dropper files to malicious databases, and categorizing C2 servers under security categories to block them.
Users are advised to be cautious with email attachments and to use robust security software to detect and prevent such threats.
As RATs continue to evolve, staying vigilant and employing advanced security measures is crucial to mitigate these sophisticated attacks.
Are you from SOC/DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.
A new project has exposed a critical attack vector that exploits protocol vulnerabilities to disrupt…
A threat actor known as #LongNight has reportedly put up for sale remote code execution…
Ivanti disclosed two critical vulnerabilities, identified as CVE-2025-4427 and CVE-2025-4428, affecting Ivanti Endpoint Manager Mobile…
Hackers are increasingly targeting macOS users with malicious clones of Ledger Live, the popular application…
The European Union has escalated its response to Russia’s ongoing campaign of hybrid threats, announcing…
Venice.ai has rapidly emerged as a disruptive force in the AI landscape, positioning itself as…