Malicious Actors Employ Obfuscation Techniques for Multi-Stage Malware Delivery Through Invoice Phishing Scams

Cybersecurity researchers have uncovered a sophisticated cyber attack employing invoice-themed phishing emails to deploy a range of malware, including Venom RAT, Remcos RAT, XWorm, NanoCore RAT, and malware aimed at stealing from cryptocurrency wallets. The phishing emails, as explained by Fortinet FortiGuard Labs, attach SVG files that trigger a multi-stage infection process once clicked.

This complex attack utilizes BatCloak and ScrubCrypt, advanced tools for malware obfuscation and evasion. BatCloak, available since late 2022, cleverly bypasses detection by disguising the delivery of malicious payloads, while ScrubCrypt, tied to the 8220 Gang's cryptojacking activities, serves as a potent crypter. Together, these tools facilitate the discreet deployment of Venom RAT, a malware that grants attackers complete control over compromised systems, allowing them to extract sensitive data and execute remote commands.

In the culmination of this attack, Venom RAT acts as a gateway for the introduction of additional malicious payloads. Security experts highlight the malware's ability to communicate with its command and control server to download plugins for further malicious activities. Among these are capabilities for keylogging, further spreading through various RATs, and a specialized plugin for stealing information from popular cryptocurrency wallets and applications.

This concise analysis sheds light on a meticulously planned attack that leverages multiple obfuscation and evasion techniques. By using phishing emails, obfuscated scripts, and a dynamic plugin system, the attackers demonstrate a high level of sophistication and adaptability, posing significant challenges to cybersecurity defenses.