The attack chain continues as the malware drops additional files into the StartUp folder and connects to Pastebin.com where command and control server information is stored. This configuration file contains an AES encryption key “a487de3093a5DGe47d49bc0733cbcleMec5Ed75adee513c39017e977a04597dr” with a salt value of “VenombatzyVeacon”, which the malware uses for secure communication with its command servers. The attack begins with purchase order-themed emails containing archive attachments that, when extracted, reveal hard disk image files designed to evade traditional security measures. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. The malware drops a DataLogs.conf file in “C:\Users\%userprofile%\AppData\Roaming\MyData\” to capture keystrokes and other sensitive information. Forcepoint researchers identified that once executed, the malware creates a copy of itself in “C:\Users\%userprofile%\dwm.bat” and opens PowerShell to execute additional commands. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news. A sophisticated phishing campaign is leveraging virtual hard disk (.vhd) files to distribute the dangerous VenomRAT malware. Upon opening, the .vhd file mounts itself as a disk drive containing a heavily obfuscated batch script that performs malicious activities using PowerShell. Analysis of the payload reveals it is VenomRAT version 6.0.3, which includes HVNC (Hidden Virtual Network Computing) service capabilities for remote system control. Tushar is a Cyber security content editor with a passion for creating captivating and informative content. The batch file contains multiple layers of obfuscation including garbage characters, Base64 encoding, and AES encryption.
This Cyber News was published on cybersecuritynews.com. Publication date: Wed, 19 Mar 2025 08:40:04 +0000