- Forcepoint observes new phishing campaign distributing virtual hard disk files
- The files bypass security protections to deploy the VenomRAT
- Victims end up losing sensitive data, so be on your guard
Criminals are now using virtual hard disk image files to host and distribute dangerous malware, researchers from Forcepoint are saying.
In an in-depth analysis, Forcepoint said it observed a phishing campaign, themed as a purchase order. In the attachment of the email is an archive which, when extracted, shows a hard disk Image file (.VHD).
When the victim opens the file, it mounts itself as a hard drive, and runs a batch script that includes a series of obfuscations including garbage characters, Base64 and AES encryption files. The .BAT file drops the Venom Remote Access Trojan (RAT) and spawns a PowerShell script that uses the Pastebin service to host C2 and exfiltrate stolen data.
Working around security solutions
Forcepoint’s Prashant Kumar said the threat actors opted for a VHD file to work around any email security, or endpoint protection solutions the target may have installed on their device.
“Threat actors always like to find new ways to deliver malware undetected to target large communities,” Kumar said. “I’ll cover a current technique threat actors use to bypass security measures, deliver malware, infect systems and exfiltrate data—all by using a virtual hard disk image file to host and distribute the VenomRAT malware.”
VenomRAT is a type of Trojan that allows cybercriminals to take full control of an infected system. Once installed, it enables attackers to execute commands remotely, steal sensitive information, and manipulate the victim’s computer without their knowledge. It is commonly used for keylogging and extracting saved credentials from web browsers and applications.
This malware is also capable of capturing screenshots and activating webcams, employs various persistence mechanisms, and can deploy additional malware. Because of its powerful capabilities, VenomRAT is often distributed through phishing emails, malicious downloads, and exploit kits that target system vulnerabilities.
You might also like
https://cdn.mos.cms.futurecdn.net/ThNyuwnA55tfcixfqWcEcA-1200-80.jpg
Source link
