Ethical Hacking News
Acronis Threat Research Unit uncovers a complex malware delivery chain involving Visual Basic script, batch file, and PowerShell to deploy high-profile malware like DCRat or Rhadamanthys infostealer. Discover the full details behind this sophisticated scheme in our latest article. Read more.
The Acronis Threat Research Unit (TRU) has been analyzing a complex malware delivery chain involving multiple script languages and obfuscation techniques. The scheme involves an email attachment containing a Visual Basic script, which initiates a multistage delivery process leading to the deployment of high-profile malware like DCRat or Rhadamanthys infostealer. The malware uses a Windows batch file and PowerShell to deploy the final malicious payload, which is packed using a custom .NET packer and heavily obfuscated. Decryption of the payload requires a byte-by-byte XOR operation with the key 0x78, posing significant risks to users due to its complexity. The Acronis TRU has successfully detected and neutralized the components involved in this complex malware delivery chain using their in-house-developed script emulators.
Acronis Threat Research Unit Uncovers Elaborate Scheme Involving Visual Basic Script, Batch File, and PowerShell to Deploy High-Profile Malware
In an effort to shed light on the latest sophistication in malware delivery chains, the Acronis Threat Research Unit (TRU) has been analyzing a particularly intricate threat. This complex scheme involves multiple script languages, obfuscation techniques, and multi-stage infections, ultimately leading to the deployment of high-profile malware like DCRat or Rhadamanthys infostealer.
The journey begins with an innocuous-looking email attachment containing a RAR archive named "Citación por embargo de cuenta," which translates to "Summons for account garnishment." This filename is designed to elicit immediate concern and prompt Spanish-speaking recipients to open the attachment. Upon extraction, it reveals a Visual Basic script (VBS) file.
When executed, this VBS file initiates a multistage delivery process, setting the stage for the deployment of the final malicious payload. The VBS file generates a Windows batch file (BAT) and transfers control to it. This batch file is responsible for constructing a Base64 encoded string from environment variables.
The decoded payload represents a compact PowerShell script, which is executed using the command argument. It plays a crucial role in the delivery chain by reading the last line of the batch file, removing marker bytes, and decoding the resulting payload.
The decoded payload is a Windows .NET executable, loaded into memory using a common malware technique known as RunPE, facilitated by a helper library. The payload itself is packed using a custom .NET packer and is heavily obfuscated, containing two encrypted data blobs within its resource structure.
These data blobs can be decrypted using a byte-by-byte XOR operation with the key 0x78 — this process is also common in cryptography. This level of sophistication poses significant risks to users, as it requires multiple security solutions to be effective against all stages of the delivery chain.
The Acronis Threat Research Unit has successfully detected and neutralized the components involved in this complex malware delivery chain. The team's detailed analysis provides a comprehensive understanding of this new threat, including secure code samples and screenshots.
Acronis XDR leverages real-time protection and in-house-developed generic script emulators to de-obfuscate and analyze scripts, allowing for early detection and neutralization of threats. By monitoring and blocking the execution of encoded payloads in memory, these solutions can prevent the loading of final malware like DCRat, Rhadamanthys, or Remcos.
The analysis also highlights the creativity and sophistication of modern malware authors. Despite these challenges, the Acronis TRU successfully detected and neutralized the components involved. The complete technical write-up for this threat is available on the Acronis research blog.
Related Information:
https://www.ethicalhackingnews.com/articles/We-Smell-a-Sophisticated-Malware-Delivery-Chain-Unpacking-the-Complexity-of-DCRat-ehn.shtml
Published: Tue Apr 1 12:59:00 2025 by llama3.2 3B Q4_K_M
