This article examines a complex malware delivery chain that utilizes multiple scripting languages to deploy high-profile malware like DCRat and Rhadamanthys infostealer. It emphasizes the importance of multilayered threat detection and highlights Acronisβs approach to neutralizing malicious scripts. The evolving complexity of malware delivery chains poses risks but also presents opportunities for prevention. Affected: DCRat, Rhadamanthys, computer users
Keypoints :
- Delivery chains for malware have become increasingly complex, moving beyond simple email attachments.
- The article discusses a specific delivery chain that aims to deploy DCRat and Rhadamanthys via multiple layers of scripts.
- Acronis employs a multilayered approach to threat detection, incorporating their own AMSI support and a generic script emulator.
- The initial VBS script creates a batch file and a copy of itself in the userβs profile directory.
- The batch file executes a Base64 encoded PowerShell script to further drop the payload.
- The PowerShell layer includes plaintext content with quotes from Friedrich Nietzsche and is responsible for decoding and loading the final payload.
- The final payload is heavily obfuscated and wrapped in a custom .NET packer, containing additional executables for execution.
- Acronis successfully detects the components of the attack chain through their Advanced Security and Extended Detection and Response (XDR) solutions.
- The analysis indicates that malware delivery strategies are continuously evolving, focusing on evading detection while executing even outdated malware.
MITRE Techniques :
- T1203 β Remote Code Execution: Use of VBS and BAT scripts to execute malicious payloads.
- T1059 β Command and Scripting Interpreter: Utilization of PowerShell to run encoded commands obfuscated in batch files.
- T1140 β Deobfuscate/Decode Files or Information: De-obfuscation of scripts to make them interpretable.
- T1027 β Obfuscated Files or Information: Use of obfuscation techniques in the VBS and batch files to evade detection.
- T1205 β Communications through Removable Media: Potential use of user directories as a method for malware execution and persistence.
Indicator of Compromise :
- [File] %UserProfile%aguwDl.bat
- [File] %UserProfile%aguwDl.vbs
- [File] %UserProfile%aguwDl.ps1
- [Hash] 0x78 (used as an XOR key for decryption)
- [Domain] dcrat[. ]com (implied malicious use)