Threat Research

ScrubCrypt Deploys VenomRAT with an Arsenal of Plugins | FortiGuard Labs

Fortinet

Fortinet Labs analyzed a multi-stage phishing campaign that uses an SVG attachment to drop an obfuscated batch (BatCloak) which invokes ScrubCrypt to load VenomRAT and additional plugins (NanoCore, Remcos, XWorm, and a crypto stealer). The campaign employs reflective .NET loading, AMSI/ETW bypasses, scheduled-task startup, and encrypted C2 channels to persist, fetch plugins, and exfiltrate targeted data. #ScrubCrypt #VenomRAT

Keypoints

  • Initial access via phishing email with an SVG attachment that drops a ZIP containing an obfuscated batch file.
  • Batch file (BatCloak) decodes multiple stages, writes temporary files, and executes a ScrubCrypt batch that holds two Base64/AES-GZIP payloads.
  • ScrubCrypt loads a .NET assembly from memory ([System.Reflection.Assembly]::Load) to execute VenomRAT and applies AMSI/ETW bypass payloads.
  • Persistence is established via scheduled task (“OneNote 83701”) for admins or Startup folder copy for non-admins; other components also create scheduled tasks (e.g., “Nano”).
  • VenomRAT uses an encrypted C2 channel (certificate-based), reports system details, and supports a “save_Plugin” command to store plugins in the registry and execute them (SendFile.dll orchestrates plugins).
  • Plugins delivered include VenomRAT v6.0.3 (keylogger/grabber), NanoCore (steganographic JPG → .NET loader), XWorm (process hollowing), Remcos (VBS/ScrubCrypt/Guloader), and a targeted crypto stealer.
  • IOCs include multiple duckdns C2 domains, malicious URLs (nanoshield / kisanbethak), file names (SVG/ZIP/batch), and many file hashes enumerated by Fortinet.

MITRE Techniques

  • [T1566.001] Phishing: Spearphishing Attachment – initial vector: ‘The attacker initiates the attack by sending a phishing email stating that a shipment has been delivered. It also includes an attached invoice. The attachment is an SVG file named “INV0ICE_#TBSBVS0Y3BDSMMX.svg”’
  • [T1204.002] User Execution: Malicious File – the SVG requires user interaction to run embedded ECMAScript that drops the ZIP: ‘After victims open the SVG file, the ECMAScript creates a new blob … drop the decoded data as a ZIP file named “INV0ICE_#TBSBVS0Y3BDSMMX.zip.”’
  • [T1027.002] Obfuscated Files or Information: Script Obfuscation – BatCloak and ScrubCrypt produce heavily obfuscated batch/script files: ‘The decompressed file is an obfuscated batch file … presumed that this batch file was created by the BatCloak tool’
  • [T1620] Reflective Code Loading – ScrubCrypt loads a .NET assembly from memory using reflection: ‘uses the PowerShell command “[System.Reflection.Assembly]::Load” to load the decrypted .NET assembly from a byte array…invoke that method to initiate the execution of the assembly’s code.’
  • [T1562.001] Impair Defenses: Disable or Modify Antimalware – second payload implements AMSI and ETW bypass: ‘The second payload from the ScrubCrypt batch file is for AMSI bypass and ETW bypass.’
  • [T1053.005] Scheduled Task/Job – persistence via scheduled task when running as Administrator: ‘utilizes a PowerShell command to establish a scheduled task named “OneNote 83701.” This task triggers upon user login…’
  • [T1547.001] Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder – alternate persistence for non-admin users by copying to StartUp folder as ‘strt.cmd’.
  • [T1573] Encrypted Channel – C2 communications are encrypted using a certificate from configuration: ‘All C2 sessions are encrypted using the certificate specified in its configuration.’
  • [T1112] Modify Registry – plugins and plugin data are saved to and read from the registry (SendFile and plug_in data): ‘Upon receiving the “save_Plugin” directive from the server, it can decompress the data and save it to the registry.’
  • [T1055.012] Process Injection: Process Hollowing – Guloader PowerShell uses Process Hollowing to inject shellcode and launch XWorm: ‘the PowerShell script uses the Process Hollowing technique to inject shellcode into a legitimate process.’
  • [T1027.004] Steganography – NanoCore stage hidden inside JPG with Base64 markers: ‘The JPG file employs steganographic methods … embedding malware data encoded in Base64 between the tags <<BASE64_START>> and <<BASE64_END>>.’
  • [T1218] Signed Binary Proxy Execution – use of RegAsm to proxy execution of NanoCore .NET payload: ‘…and employs “RegAsm” to proxy the execution of NanoCore.’
  • [T1056.001] Input Capture: Keylogging – VenomRAT contains a keylogger function to capture keystrokes: ‘The plugin VenomRAT is version 6.0.3. It has a Keylogger function…’
  • [T1082] System Information Discovery – initial beacon sends hardware/OS/AV and other environment data: ‘The initial packet transmitted contains basic information about the victim, such as hardware specifications, username, operating system details, camera availability…and the name of the antivirus product installed.’

Indicators of Compromise

  • [C2 Domains] Command-and-control domains observed – markjohnhvncpure[.]duckdns[.]org, hjkdnd[.]duckdns[.]org, and 4 other duckdns domains
  • [URLs] Malicious delivery and payload hosting – hxxps://nanoshield[.]pro/new_image2.jpg?166154725, hxxps://kisanbethak[.]com/K/, and 2 other URLs
  • [File names] Dropper and stage filenames – INV0ICE_#TBSBVS0Y3BDSMMX.svg, INV0ICE_#TBSBVS0Y3BDSMMX.zip (also pointer.png, pointer.cmd, strt.cmd)
  • [File hashes] Samples tied to the campaign – 06779e1015bd7dd2012ad03f7bb3f34e8d99d6ca41106f89cb9fb1ec46fe034e, 0b5631041336a58ab859d273d76c571dd372220dfa1583b597a2fe5339ad4bf7, and 28 other hashes

Actor workflow (technical summary): The attack starts with a phishing SVG that executes embedded ECMAScript to create a blob and drop a ZIP containing an obfuscated Batch file (BatCloak). The batch decodes embedded data, writes temporary files (e.g., pointer.png → pointer → pointer.cmd), and executes a ScrubCrypt batch which contains two Base64/AES-CBC/GZIP payloads: one for persistence/loading of a compressed .NET assembly and another to perform AMSI/ETW bypass.

ScrubCrypt reconstructs/decrypts the embedded assemblies and uses reflection ([System.Reflection.Assembly]::Load) to execute the VenomRAT assembly in memory without writing a clear executable to disk. The loader detects administrative rights and either creates a scheduled task (“OneNote 83701”) for elevated persistence or drops a strt.cmd into Startup for non-admins. VenomRAT config is Base64 + AES-CBC encrypted; once running it performs environment checks, establishes a certificate-based encrypted C2 channel, and sends system/AV/execution-path information to the server.

The RAT supports a plugin framework: it accepts “save_Plugin” packets, stores plugin DLLs in the registry (SendFile.dll orchestrates plugin execution), and can deploy multiple plugins delivered by different mechanisms. Observed plugin delivery includes steganographic JPGs that unpack NanoCore via RegAsm, VBS/Guloader PowerShell that uses process hollowing to deploy XWorm/Remcos, and an embedded .NET stealer that writes a DLL in-memory, schedules a “Nano” task, and repeatedly harvests crypto wallet/Telegram/Foxmail artifacts before sending results to markjohnhvncpure[.]duckdns.org.

Read more: https://feeds.fortinet.com/~/875486669/0/fortinet/blog/threat-research~ScrubCrypt-Deploys-VenomRAT-with-an-Arsenal-of-Plugins

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint