In a recent cybersecurity threat, hackers have been using virtual hard disk image files (.vhd) to distribute the VenomRAT malware, exploiting a novel technique to bypass security measures.
This campaign begins with a phishing email that uses a purchase order as a lure, enticing users to open an attached archive file.
Upon extraction, the archive reveals a .vhd file, which mounts itself as a hard disk drive when opened.
Inside this virtual drive is a batch script that executes malicious activities using PowerShell, ultimately sending sensitive information to command and control (C2) servers.
The VenomRAT Attack Chain
The attack chain involves several stages. Initially, the phishing email tricks users into opening the .vhd file.

Once mounted, the file executes a batch script that is heavily obfuscated with garbage characters, Base64, and AES encryption.
This script spawns a PowerShell process to perform further malicious actions.
It creates a copy of itself in the user’s directory, modifies system registries, and drops a cmd script in the Startup folder to ensure persistence.
The script also connects to Pastebin.com, where C2 information is stored, and drops a file named DataLogs.conf in the AppData/Roaming directory.
This file is used to capture keystrokes and other sensitive data, which are then sent to the C2 servers.
The execution of the batch script involves several key activities.


It creates a .NET compiled executable along with a config file, which acts as a dependency for network connections and performs system checks.
The config file reveals the presence of VenomRAT using HVNC service and specifies an AES key used for decryption.
The malware exploits legitimate services like Pastebin to host its C2 infrastructure, making it challenging to detect.
Protection and Mitigation
To combat this threat, cybersecurity solutions like those offered by Forcepoint can protect against various stages of the attack.
These include identifying and blocking malicious attachments, blocking URLs that download further payloads, adding dropper files to malicious databases, and categorizing C2 servers under security categories to block them.
Users are advised to be cautious with email attachments and to use robust security software to detect and prevent such threats.
As RATs continue to evolve, staying vigilant and employing advanced security measures is crucial to mitigate these sophisticated attacks.
Are you from SOC/DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.