Phishing Campaign Harnesses ScrubCrypt and BatCloak to Mask VenomRAT Deployment

A new phishing campaign leveraging obfuscation tools such as ScrubCrypt and BatCloak to circumvent security defenses. Fortinet's cyber threat analyst, Cara Lin, explains that the campaign utilizes a Scalable Vector Graphics (SVG) file, disguised as an invoice related to a shipment to lure victims. This SVG file facilitates the download of a ZIP file containing a BatCloak-obfuscated batch file, which subsequently deploys ScrubCrypt to load the VenomRAT malware, establishing a connection with a Command and Control (C2) server. The end goal of the attackers is the installation of plugins on the victims' system. One observed plugin acts as a stealer, targeting cryptocurrency wallets and extracting data from email and the Telegram messaging platform.

The attack sequence starting with the SVG file's execution produces a ZIP file containing base64-encoded data. The ensuing decompression process unveils a BatCloak-obfuscated batch file, which in turn triggers ScrubCrypt. The malware sequence proceeds with carefully formulated PowerShell commands designed to operate stealthily. Notably, the attack employs PowerShell, copied to the Public directory, and manipulates it using parameters to ensure executions are done in a discrete manner. Moreover, the certutil process is utilized with the "-decodehex" option to decode and deploy a PNG file as a CMD script. Subsequent steps include a cleanup process, where the 'del' command through CMD purges files previously used, ensuring the attack's footprint remains minimal and evasive.

At the core of this operation is VenomRAT, a variant of the Quasar RAT, allowing attackers to manipulate compromised systems to further nefarious activities. Communication with the C2 server allows VenomRAT to retrieve and run additional plugins. "The plugin files downloaded from the C2 server include VenomRAT version 6, Remcos, XWorm, NanoCore, and a stealer designed for specific crypto wallets," notes Lin. The campaign's complexity, marked by the deployment of elusive tools, underscores the need for detailed process behavior analysis as part of the threat detection process. Although the current campaign lacks a definitive attribution, the '8220 Gang' has been previously recognized for deploying ScrubCrypt in attacks against Oracle WebLogic Servers.