This investigation details a multi-stage, reusable malware delivery framework that used obfuscated VBS launchers, a fileless PowerShell loader, PNG-embedded .NET loaders (PhantomVAI), and openly hosted directories to stage and deliver multiple payload families. The campaign delivered and rotated payloads including Remcos RAT and XWorm variants from attacker-controlled infrastructure such as news4me[.]xyz and Cloudflare-backed hosts, enabling additional infection paths via a weaponized “PDF” and batch scripts #PhantomVAI #RemcosRAT
Keypoints
- Initial detection came from SentinelOne identifying an obfuscated VBS (Name_File.vbs) in UsersPublicDownloads; endpoint controls prevented execution and quarantined the file.
- Decoded VBS revealed heavy Unicode obfuscation that reconstructed and executed a Base64-encoded PowerShell command acting as a fileless loader enforcing TLS 1.2 and retrieving PNG-hosted payloads.
- PNG files contained appended Base64 .NET assemblies (PhantomVAI) that were reflectively loaded into memory and used to download and decode follow-on payloads such as Remcos RAT and UAC bypass DLLs.
- Attacker infrastructure on news4me[.]xyz exposed open directories (/coupon/, /protector/, /invoice/) mapping multiple obfuscated VBS scripts to distinct payloads and staging files, indicating a modular, reusable framework.
- A secondary infection chain used a fake PDF Internet Shortcut and an obfuscated 44rrr.bat (UTF-16LE) to fetch ZIP/BAT/TXT packages from Cloudflare-backed domains, dropping Python-based loaders and scripts that performed memory injection and shellcode execution.
- The campaign’s open-directory architecture and payload rotation increased evasion risk by using non-executable carriers (PNG, ZIP, Internet Shortcut) and multi-language tooling (VBS, PowerShell, BAT, Python) to persist and scale operations.
MITRE Techniques
- [T1027 ] Obfuscated Files or Information – Use of heavy Unicode-based obfuscation and Base64 encoding in VBS and text payloads to evade inspection (‘The VBS script employed heavy Unicode-based obfuscation to conceal its true functionality’).
- [T1059.001 ] Command and Scripting Interpreter: PowerShell – Execution of a Base64-encoded PowerShell command that retrieved remote content and executed in-memory payloads (‘reconstruct and execute a Base64-encoded PowerShell command’).
- [T1140 ] Deobfuscate/Decode Files or Information – Decoding Base64-encoded content embedded in PNGs and text files to produce executable assemblies and payloads (‘PNG file contained a Base64-encoded .NET assembly appended to the image data’).
- [T1105 ] Ingress Tool Transfer – Downloading of PNGs, ZIPs, BATs, and TXT payloads from attacker-controlled URLs and Cloudflare-backed hosts to stage payloads (‘retrieve remote content over HTTP’ and listed URLs such as ia600606.us.archive[.]org/…/MSI_PRO_with_b64.png).
- [T1620 ] Reflective Code Loading – Loading of a .NET assembly directly into memory using Reflection.Assembly::Load to execute without writing to disk (‘extracted content was decoded and loaded directly into memory using the Reflection.Assembly::Load method’).
- [T1053.005 ] Scheduled Task/Job – Use of scheduled tasks for persistence invoked by the in-memory loader to maintain execution across reboots (‘persistence through scheduled tasks’).
- [T1204 ] User Execution – Delivery via a weaponized “PDF” Internet Shortcut and ZIP archive that relied on user interaction to trigger the batch script and follow-on retrieval (‘fake PDF internet shortcut file’ and execution redirected to Cloudflare domains).
- [T1055 ] Process Injection – Python-based components exhibiting memory injection and shellcode execution after drop, indicating in-memory code execution techniques (‘Behavioral telemetry associated with the Python components included indicators of memory injection, shellcode execution’).
Indicators of Compromise
- [Domain ] attacker-controlled staging and delivery – news4me[.]xyz, bacteria-spent-endless-grammar.trycloudflare[.]com
- [Open directory ] exposed payload staging directories – news4me[.]xyz/coupon/, news4me[.]xyz/protector/
- [URLs ] PNG and payload hosts – hxxp://ia600606.us.archive[.]org/…/MSI_PRO_with_b64.png, hxxps://news4me[.]xyz/protector/johnremcos.txt
- [File names ] initial and staged scripts/payloads – Name_File.vbs, 44rrr.bat, Invoice-JL1852586778.pdf.zip
- [DLL / binary ] privilege escalation and loader artifacts – UAC.dll (a55d61fb7fe814afeab4f4d7f42be4cf60609414), Microsoft.Win32.TaskScheduler.dll (77429c27de47d09ac51bc4c5f44329fe823ad01c)
- [PNG files ] image-staged loaders – MSI_PRO_withb64.png (a4a3d9ac1df13736a29a615fc86b5f3835aba11d), uac.png (c214e2cde87d614daceb2cdcbf4ff88fa24a1d43)
- [Hashes ] known malicious script and archive hashes – 300ff.vbs (274ed28bd083feb5600297a1728a4063d6b415ad), 44rrr.bat (314b42be5ce942dd1c3d0bddb0cc6e0cdcb1acad), and many other hashes listed in the IOC table.
- [Python files ] dropped payloads used in secondary chain – 1UK-Vioooo.py (08E3321955…), 1aaaaannnov24.py (63A7CC185C…), and additional Python hashes indicating Kramer-family detections.