Threat Research

VCURMS: A Simple and Functional Weapon | FortiGuard Labs

Fortinet

FortiGuard Labs analyzed a phishing campaign that delivers a malicious Java downloader which fetches and runs VCURMS and STRRAT Java RATs, with components hosted on public services (AWS/GitHub) and protected by commercial obfuscators. The malware uses email (Proton Mail) for command-and-control and includes an infostealer, keylogger, persistence via the Startup folder, and PowerShell-based component staging. #VCURMS #STRRAT

Keypoints

  • Phishing emails deliver a malicious JAR (Payment-Advice.jar) hosted on AWS that downloads and executes additional JAR components.
  • The initial JAR is obfuscated (commercial protector/Sense Shield/Virbox-style) and uses a loader to select OS-native modules from resources.
  • VCURMS (windows.jar) installs to the Startup folder for persistence, reports online status, and polls an email account for commands (Proton Mail used for C2).
  • Commands support information theft, shell execution (cmd.exe /c), file upload/download, and installing a recovery infostealer (st.jar) and keylogger (klog.jar) disguised as .jpg files and fetched via PowerShell.
  • Components are obfuscated with Branchlock (and Allatori for STRRAT); deobfuscation support via Narumii was used during analysis.
  • STRRAT configuration is Base64-decoded and AES-decrypted with passphrase “strigoi” to reveal C2 details and ID “Khonsari”.
  • IOCs include email addresses, AWS S3-hosted domains, DDNS domains, and multiple file hashes listed in the report.

MITRE Techniques

  • [T1566] Phishing – Used to deliver the initial malicious JAR via email: ‘…encourages them to click a button to verify payment information.’
  • [T1204] User Execution – Execution depends on the victim running the downloaded JAR: ‘a harmful JAR file hosted on AWS is downloaded to the victim’s computer.’
  • [T1105] Ingress Tool Transfer – Additional malicious JARs and components are downloaded from public hosting (AWS/GitHub): ‘attacker stored malware on public services like Amazon Web Services (AWS) and GitHub.’
  • [T1027] Obfuscated Files or Information – Multiple commercial obfuscators (Branchlock, Allatori, Virbox protector) are used to hinder analysis: ‘obfuscated using the Branchlock obfuscator.’
  • [T1059.001] Command and Scripting Interpreter: PowerShell – PowerShell is used to download components disguised with .jpg extensions: ‘downloaded using a PowerShell command.’
  • [T1547.001] Boot or Logon Autostart Execution: Startup Folder – The RAT replicates to the Startup folder to achieve persistence: ‘replicates itself into the Startup folder to ensure that it runs automatically when Windows starts.’
  • [T1071.003] Application Layer Protocol: Mail Protocols – Command-and-control and data exfiltration occur over email (Proton Mail): ‘communicates with its command and control through email.’
  • [T1053] Scheduled Task/Job – The malware establishes a schedule to periodically check the mailbox for commands: ‘establishes a schedule to periodically check the mailbox.’
  • [T1113] Screen Capture – The infostealer collects screenshots as part of stolen system data: ‘screenshots.’
  • [T1083] File and Directory Discovery – The malware enumerates Desktop and Documents folders when collecting data: ‘files in the Desktop and Documents folders.’

Indicators of Compromise

  • [E-mail] C2/actor addresses observed – copier@ferrellengineering[.]com, sacriliage@proton[.]me
  • [Domains] Hosting and C2-related domains – bankofindustry[.]s3[.]us-east-2[.]amazonaws[.]com, riseappbucket[.]s3[.]ap-southeast-1[.]amazonaws[.]com (and additional DDNS/C2 domains)
  • [Files / Hashes] Malicious JAR hashes observed – 97e67ac77d80d26af4897acff2a3f6075e0efe7997a67d8194e799006ed5efc9, 8d72ca85103f44742d04ebca02bff65788fe6b9fc6f5a411c707580d42bbd249 (and 3 more hashes)

Fortinet’s analysis details the technical execution chain: a phishing email delivers Payment-Advice.jar which contains obfuscated classes (e.g., DownloadAndExecuteJarFiles.class) that download two additional JARs and execute them. The obfuscation includes commercial protectors and Branchlock/Allatori layers; analysts used Narumii/Deobfuscator to partially reverse Branchlock artifacts and identified a loader that selects OS-specific native modules from the JAR resources. Staged components include windows.jar (VCURMS RAT), st.jar (infostealer deployed to %USERPROFILE%AppDatacookiest.jar), and klog.jar (keylogger stored as %USERPROFILE%AppDatacookieklog.jar); the downloader also uses PowerShell to fetch JARs disguised with .jpg extensions.

VCURMS establishes persistence by copying itself into the Startup folder and scheduling periodic mailbox checks, reporting online status and extracting a machine identifier (computer name and Volume ID). It uses an email account (Proton Mail) as the C2 channel: command processing first matches identifying info in the email subject, then parses commands from the body. Supported commands include system info collection (OS, memory, user, Desktop/Documents listings), remote shell execution via cmd.exe /c (returning output by email), recovery (downloads and runs st.jar), start keylogger, get keylogger (attach logs), upload/download (attachments restricted to .jpg), and targeted file search. The infostealer collects browser cookies, autofill, history, saved passwords (Brave, Chrome, Edge, Firefox, Opera, OperaGX, Vivaldi, Yandex), and app data (Discord, Steam); STRRAT samples in the campaign use layered obfuscation and contain a resource configuration that is Base64-decoded and AES-decrypted with the passphrase “strigoi” to reveal C2 server info and the ID “Khonsari”.

Read more: https://feeds.fortinet.com/~/873512375/0/fortinet/blog/threat-research~VCURMS-A-Simple-and-Functional-Weapon

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint