Cyber Security News

Hackers Exploit Hard Disk Image Files to Deploy VenomRAT

In a recent cybersecurity threat, hackers have been using virtual hard disk image files (.vhd) to distribute the VenomRAT malware, exploiting a novel technique to bypass security measures.

This campaign begins with a phishing email that uses a purchase order as a lure, enticing users to open an attached archive file.

Upon extraction, the archive reveals a .vhd file, which mounts itself as a hard disk drive when opened.

Inside this virtual drive is a batch script that executes malicious activities using PowerShell, ultimately sending sensitive information to command and control (C2) servers.

The VenomRAT Attack Chain

The attack chain involves several stages. Initially, the phishing email tricks users into opening the .vhd file.

VenomRATVenomRAT
VenomRAT email

Once mounted, the file executes a batch script that is heavily obfuscated with garbage characters, Base64, and AES encryption.

This script spawns a PowerShell process to perform further malicious actions.

It creates a copy of itself in the user’s directory, modifies system registries, and drops a cmd script in the Startup folder to ensure persistence.

The script also connects to Pastebin.com, where C2 information is stored, and drops a file named DataLogs.conf in the AppData/Roaming directory.

This file is used to capture keystrokes and other sensitive data, which are then sent to the C2 servers.

The execution of the batch script involves several key activities.

Batch file

It creates a .NET compiled executable along with a config file, which acts as a dependency for network connections and performs system checks.

The config file reveals the presence of VenomRAT using HVNC service and specifies an AES key used for decryption.

The malware exploits legitimate services like Pastebin to host its C2 infrastructure, making it challenging to detect.

Protection and Mitigation

To combat this threat, cybersecurity solutions like those offered by Forcepoint can protect against various stages of the attack.

These include identifying and blocking malicious attachments, blocking URLs that download further payloads, adding dropper files to malicious databases, and categorizing C2 servers under security categories to block them.

Users are advised to be cautious with email attachments and to use robust security software to detect and prevent such threats.

As RATs continue to evolve, staying vigilant and employing advanced security measures is crucial to mitigate these sophisticated attacks.

Are you from SOC/DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.

Aman Mishra

Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Recent Posts

Zero-Trust Policy Bypass Enables Exploitation of Vulnerabilities and Manipulation of NHI Secrets

A new project has exposed a critical attack vector that exploits protocol vulnerabilities to disrupt…

1 day ago

Threat Actor Sells Burger King Backup System RCE Vulnerability for $4,000

A threat actor known as #LongNight has reportedly put up for sale remote code execution…

1 day ago

Chinese Nexus Hackers Exploit Ivanti Endpoint Manager Mobile Vulnerability

Ivanti disclosed two critical vulnerabilities, identified as CVE-2025-4427 and CVE-2025-4428, affecting Ivanti Endpoint Manager Mobile…

1 day ago

Hackers Target macOS Users with Fake Ledger Apps to Deploy Malware

Hackers are increasingly targeting macOS users with malicious clones of Ledger Live, the popular application…

1 day ago

EU Targets Stark Industries in Cyberattack Sanctions Crackdown

The European Union has escalated its response to Russia’s ongoing campaign of hybrid threats, announcing…

1 day ago

Venice.ai’s Unrestricted Access Sparks Concerns Over AI-Driven Cyber Threats

Venice.ai has rapidly emerged as a disruptive force in the AI landscape, positioning itself as…

1 day ago