Double Vision: Stealthy Malware Dropper Delivers Dual RATs

silversurfer

Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Well-known
Aug 17, 2014
10,048
A newly discovered initial-stage malware dropper has been discovered sneaking by antivirus products, with the ultimate goal of delivering a double-pronged whammy of RevengeRAT and WSH RAT payloads onto targeted Windows machines.

A FortiGuard Labs team recently captured a sample file that had been flagged as suspicious, but which had a notably low detection rate in VirusTotal. After putting the code through manual analysis, it turns out that the file was designed to drop the duo of remote access trojans (RATs) via a multi-stage infection process.

The sample starts its process with a JavaScript code in a text editor, containing URL-encoded data.
“Once it’s decoded, we were able to uncover VBScript [Visual Basic Script] code,” explained Chris Navarrete and Xiaopeng Zhang, in an analysis posted Wednesday. “The author of this malware used simple character replacement when calling the ‘Chr()’ function in an attempt to hide the actual strings.”
 

RoboMan

Level 34
Verified
Top Poster
Content Creator
Well-known
Jun 24, 2016
2,399
These sound to me like a couple of zero-days

1573822996499.png


Even more interesting is the list of providers that could catch them even when "top firms" weren't aware of their lives.
 

plat

Level 29
Top Poster
Sep 13, 2018
1,793
A case for an adjunct utility like OSArmor with the VBScript rule enabled, especially if you run MS Defender. There's an ASR rule--"Block JavaScript or VBScript from launching downloaded executable content." I wonder if this would also intervene, at least to some extent. Malware is getting highly sophisticated; one simple rule may not completely halt the infection process.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top