DeathStalker’s VileRAT campaign targets foreign exchange and cryptocurrency venues with a multi-stage infection chain, involving spearphishing, DOTM remote templates, VBA macro stomping, VileDropper and VileLoader loaders, and a Python-based VileRAT. The report publicizes evolving infrastructure, targets, and IOCs to help defenders detect and disrupt these operations. #DeathStalker #VileRAT
Keypoints
- The DeathStalker group operates a multi-stage infection chain culminating in the Python-based VileRAT RAT.
- Initial infection uses spearphishing with fake personas; targets receive Word/Office documents with links to malicious files hosted on Google Drive or embedded DOCX/DOTM content.
- Malicious DOTM remote templates employ VBA stomping to conceal embedded macros, with variants tailored to Office versions.
- VileDropper obfuscates data with XOR-based schemes, drops VileLoader, and schedules tasks to execute payloads, while gathering environment data via WMI.
- VileLoader unpacks its second stage in memory, then downloads and deploys VileRAT, using a multi-layered XOR/RC4/BASE64 encoding scheme and a hashed import mechanism.
- VileRAT offers multiple execution modes (e.g., arbitrary commands, SSH, persistence via scheduled tasks, and security-product discovery) and communicates with C2 over HTTP with encoded payloads.
- The infrastructure features numerous C2 domains and IPs, with targeted FOREX and crypto exchanges across several regions; attribution ties the activity to DeathStalker.
MITRE Techniques
- [T1566.001] Spearphishing Attachment – “The initial infection and toolset deployment, as we observed them starting in at least late 2021, are spear-phishing emails sent to targets via email… The malicious link would then trigger the execution of arbitrary system commands…”
- [T1566.002] Spearphishing Link – “a fake personas… shared investment interests… malicious link would then trigger the execution…”
- [T1059.005] Visual Basic for Applications – “The malicious DOTM remote templates leverage the VBA stomping technique to conceal the code of an embedded macro.”
- [T1562.001] Impair Defenses – “VBA stomping… the real macro code that will be executed is hidden from standard tools.”
- [T1027] Obfuscated/Compressed Files and Information – “The DOTM-embedded macro is lightly obfuscated, as most text strings are XOR-encoded.”
- [T1071.001] Web Protocols – “The DOTM-embedded macro signals progression or errors during the execution by sending HTTP GET requests to fixed C2 URLs.”
- [T1105] Ingress Tool Transfer – “Stage 2 content is downloaded… to download an implant package.”
- [T1053.005] Scheduled Task – “schedules a task to run VileLoader 35 to 65 seconds later, then indefinitely every three hours and 45 minutes.”
- [T1082] System Information Discovery – “gathers information about security products that are installed on the target computer (using WMI)…”
- [T1518] Software Discovery – “Listing security solutions that are installed on the target computer.”
- [T1056.001] Keylogging – “VileRAT functionalities include keylogging.”
- [T1059.007] JavaScript – “an obfuscated JavaScript backdoor we called VileDropper.”
Indicators of Compromise
- [IP Address] infection/C2 infrastructure – 185.161.208.172, 185.161.208.207, and 12+ more IPs
- [Domain] C2 domains – corstand[.]com, plantgrn[.]com, textmaticz[.]com (plus many others listed in the article)
- [MD5 Hash] Infection DOCX hashes – 09FB41E909A0BCA1AB4E08CB15180E7C, 0B4F0EAD0482582F7A98362DBF18C219, and 2 more hashes
- [MD5 Hash] VileDropper/JavaScript/Loader hashes – (examples: from the provided MD5 lists for VileDropper and VileLoader)
- [File name] malicious components – Redist.txt, ThirdPartyNotice.txt, FWDeviceEnabler.exe
- [URL] C2 endpoints – hubflash.co/admin/auth.php, and other domain/IP-based endpoints listed under C2 infrastructure
Read more: https://securelist.com/vilerat-deathstalkers-continuous-strike/107075/