Threat Research

Efficient Deployment of PureHVNC Using Python Multi-Stage Loader | FortiGuard Labs

Fortinet

Fortinet FortiGuard Labs details a phishing-driven campaign that uses multi-layer obfuscation to deliver VenomRAT, PureHVNC, and other malware to Windows targets. The operation relies on deceptive emails, a multi-stage loader, and plugins to exfiltrate data and extend control, culminating in PureHVNC’s remote desktop capabilities and plugin loading. Hashtags: #PureHVNC #VenomRAT

Keypoints

  • The campaign targets Microsoft Windows and is assessed as high severity, affecting generic organizations via phishing.
  • The attack delivers multiple malware families including VenomRAT, XWorm, AsyncRAT, and PureHVNC.
  • Malware uses extensive obfuscation and packing techniques to evade detection, aided by tools like Kramer, donut, and laZzzy.
  • PureHVNC is a .NET RAT that decrypts payloads, decompresses them, and loads them into memory, with plugins extending its functionality.
  • Plugins such as PluginRemoteDesktop and PluginExecuting enable remote control and command execution, including file download/execution and uninstall capabilities.
  • The attack chain starts with a phishing email leading to a malicious HTML/LNK sequence, leveraging conhost.exe for indirect execution and PowerShell-based stages.
  • Fortinet protections (FortiGuard Antivirus/CDR) can detect and mitigate these threats, with additional guidance for training and IP reputation services.

MITRE Techniques

  • [T1566] Phishing – Brief description of how it was used. Quote relevant content using bracket (‘…translated quote in English…’)
  • [T1071] Command and Control – Brief description of how it was used. Quote relevant content using bracket (‘…translated quote in English…’)
  • [T1003] Credential Dumping – Brief description of how it was used. Quote relevant content using bracket (‘…translated quote in English…’)
  • [T1203] Execution – Brief description of how it was used. Quote relevant content using bracket (‘…translated quote in English…’)
  • [T1027] Obfuscated Files or Information – Brief description of how it was used. Quote relevant content using bracket (‘…translated quote in English…’)
  • [T1055] Process Injection – Brief description of how it was used. Quote relevant content using bracket (‘…translated quote in English…’)

Indicators of Compromise

  • [Domain] C2 domains – drvenomjh[.]duckdns[.]org, vxsrwrm[.]duckdns[.]org, and other 4 domains
  • [URL] Malicious link – hxxps://float-suppose-msg-pulling[.]trycloudflare[.]com/
  • [File] Payload hashes – 16a4de0540181bab7c5d25fcdf90838a28f2dff4ed9e0e37de3f5f1ab20afe0a, 062c5f5e9cdfd731912b262297e963b6d5e1b1d114184728065522f46a5eef2f, and other hashes

Read more: https://feeds.fortinet.com/~/902536604/0/fortinet/blog/threat-research~PureHVNC-Deployed-via-Python-Multistage-Loader