A sophisticated phishing campaign is leveraging virtual hard disk (.vhd) files to distribute the dangerous VenomRAT malware.<\/p>\n
The attack begins with purchase order-themed emails containing archive attachments that, when extracted, reveal hard disk image files designed to evade traditional security measures<\/a>.<\/p>\n Upon opening, the .vhd file mounts itself as a disk drive containing a heavily obfuscated batch script that performs malicious activities using PowerShell.<\/p>\n The batch file contains multiple layers of obfuscation<\/a> including garbage characters, Base64 encoding, and AES encryption.<\/p>\n Forcepoint researchers identified<\/a> that once executed, the malware creates a copy of itself in \u201cC:Users%userprofile%dwm.bat\u201d and opens PowerShell to execute additional commands.<\/p>\n The script then modifies registry entries to ensure persistence on the infected system.<\/p>\n The attack chain continues as the malware drops additional files into the StartUp folder and connects to Pastebin.com where command and control server information is stored.<\/p>\n These techniques help the malware establish a foothold and maintain communication with its operators.<\/p>\n Analysis of the payload reveals it is VenomRAT version 6.0.3, which includes HVNC (Hidden Virtual Network Computing) service capabilities for remote system control.<\/p>\n The malware drops a DataLogs.conf file in \u201cC:Users%userprofile%AppDataRoamingMyData\u201d to capture keystrokes and other sensitive information<\/a>.<\/p>\n This configuration file contains an AES encryption key \u201ca487de3093a5DGe47d49bc0733cbcleMec5Ed75adee513c39017e977a04597dr\u201d with a salt value of \u201cVenombatzyVeacon\u201d, which the malware uses for secure communication with its command servers.<\/p>\n The post Hacker Weaponizing Hard Disk Image Files To Deliver VenomRAT<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\n![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgQqYjO4Hqf_VTpx0FVXXfyoEQYowOo8uUrxvV0UFm6yXigdhBKSDpqZNKaQrD2evnKX2085rkccUyjawBUKBQ0GpTrSgv6npEdh5UOCVHWRHtWc_01AmEhCaSr5UxqPdLo6-oqkLQVD5WxnwxAtf4WpdOeNJ4AOk-x2kXI_eiftTsiGbVCaE_Q7SGz6c8\/s16000\/Batch%2520file%2520inside%2520.vhd%2520file%2520%28Source%2520-%2520Forcepoint%29.webp?ssl=1\")
Analysis VenomRAT<\/strong><\/h2>\n
![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEiArohTwtPI3LQHOrAE6Dc-gIPfGYbDQWyyjBPRNxOptgRcbjbkIs2PsHiLo93iify8gW-q85ZgSMR7_HFTEAG_R6nbHSqRf6djFZZ77FH6pBZhr2bmM2CgLympBFOOqEAnS2NsYX_a5Tt0kOK-ilU4pLMosJAj2_rf9nDFnkB1yeUBFm5o5lr1RvAQ6bE\/s16000\/DataLogs.conf%2520in%2520AppData%2520-%2520Roaming%2520%28Source%2520-%2520Forcepoint%29.webp?ssl=1\")
![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEivi0dNd6P21Zh56Gv22_KTs6t4YmgEG_4DaTY1UIvsbOpT8TBG0RVekx4lB2ulgsnvHE9jAQiV7PlhSno6TNGay1lXYVway-fkp_MZ8ALm_2r3cOHS9OHvHqHT8gidj5cOjvdjdeqHZLGT93D8W6kwmsXAiRqXu6AUTXjBjJNMOUuphnSZTit-Iu4TK7s\/s16000\/Config%2520file%2520used%2520by%2520VenomRAT%2520%28Source%2520-%2520Forcepoint%29.webp?ssl=1\")
Investigate Real-World Malicious Links & Phishing Attacks With\u00a0Threat Intelligence Lookup<\/strong>\u00a0-\u00a0Try for Free<\/a><\/code><\/strong><\/code><\/strong><\/strong><\/code><\/strong><\/strong><\/p>\n