Summary:
In April, FortiGuard Labs uncovered a sophisticated attack using multiple layers of obfuscation and evasion techniques to distribute VenomRAT via ScrubCrypt. This campaign extended beyond VenomRAT, deploying additional malware through a plugin. A recent phishing campaign targeted employees with deceptive emails posing as customer inquiries. These emails contained urgent requests and attachments disguised as invoices, which, when opened, initiated a chain of malicious activities.

The attack utilized various obfuscation techniques such as Python obfuscator 'Kramer,' shellcode generator 'donut,' and shellcode loader 'laZzzy' to evade detection. Malware deployed included XWorm, VenomRAT, AsyncRAT, and PureHVNC, each integrated into a complex attack chain. PureHVNC, a notable malware identified, utilized AES decryption and gzip decompression to load DLL payloads and gather victim information. The malware communicated with a command-and-control (C2) server, targeting sensitive applications and extensions.

Security Officer Comments:
In this article the attackers' approach showcased a deep understanding of cybersecurity vulnerabilities, employing techniques like Python obfuscation and shellcode manipulation to obfuscate their malicious intent. Further analysis of the attack campaign uncovered a range of sophisticated plugins, including PluginRemoteDesktop and PluginExecuting, which significantly bolstered the attackers' ability to remotely access and control compromised systems. These plugins were meticulously designed to blend into legitimate system processes, making detection more challenging for traditional security measures.

Suggested Corrections:
The attack campaign starts with an email. It implies that the inquiry email is from a customer and urges the recipient to open the attachment. This typical phishing email tactic uses job-related information and urgent language to deceive recipients into opening attachments or clicking links. Security teams should continue to protect the enterprise against phishing attacks.

Link(s):
https://www.fortinet.com/blog/threat-research/purehvnc-deployed-via-python-multi-stage-loader