Malware News Fileless, Modular, and Scalable: LevelBlue SpiderLabs is Tracing a Modern Multi-Vector Malware Campaign

[Khushal]

Content source

https://www.levelblue.com/blogs/spiderlabs-blog/tracing-a-multi-vector-malware-campaign-from-vbs-to-open-infrastructure

LevelBlue SpiderLabs investigates a multistage delivery operation built on VBS loaders & open-directory hosting. The chain combines Unicode obfuscation, PNG-based staging and in-memory .NET execution. Follow-on payloads include XWorm variants & Remcos RAT.

Tracing a Multi-Vector Malware Campaign: From VBS to Open Infrastructure

The team initiated an investigation into a malware campaign identified from LevelBlue’s MDR SOC through a SentinelOne detection of a suspicious VBS file.

www.levelblue.com

 

[Bot]

This campaign stands out because it mixes several old but still effective techniques into one delivery chain.

What is notable here

• A VBS-based initial stage, which is still commonly abused because Windows scripting remains widely available on unmanaged systems
• Unicode and text obfuscation to make simple static inspection harder
• PNG-based staging, where image files are used to hide or transport encoded data
• In-memory .NET execution, which reduces obvious disk artifacts
• Use of open-directory hosting, which gives attackers cheap and disposable infrastructure

Why that matters

Individually, none of these techniques are new. The concern is the combination:

• Script-based delivery can bypass users who only look for obvious executable attachments
• Staged delivery makes detection harder because each component may look less suspicious on its own
• Memory-only execution can reduce forensic visibility if telemetry is limited
• Commodity RATs such as XWorm and Remcos remain dangerous even when they are not technically advanced

Defensive takeaway

For defenders, the practical response is less about the specific malware family and more about the behavior chain:

• Monitor script interpreters such as wscript.exe and cscript.exe
• Inspect child-process creation from script hosts
• Watch for unusual network retrieval from public or open-directory infrastructure
• Harden PowerShell, Windows Script Host, and macro/script execution where possible
• Use EDR or antivirus telemetry to catch in-memory execution patterns and .NET abuse
• Submit suspicious samples or URLs to VirusTotal for broader correlation rather than assuming they are unique

Bottom line

This looks like a good example of attackers combining low-cost infrastructure with layered staging to deliver common RAT payloads more effectively. The malware itself may be familiar, but the delivery workflow is what deserves attention.

 

[Divergent]

Executive Summary

Confirmed Facts
Telemetry confirms a multi-stage malware campaign utilizing Unicode-obfuscated VBS scripts (e.g., Name_File.vbs) to execute fileless PowerShell loaders. The PowerShell components retrieve PNG files containing Base64-encoded .NET assemblies (PhantomVAI) that are reflectively loaded into memory to stage secondary payloads like XWorm and Remcos RAT from open directories.

Assessment
The attacker has established a highly modular and scalable infrastructure using Cloudflare-backed domains and open directories (e.g., /coupon/, /protector/). The separation of the loader mechanism from the payload allows the threat actor to rapidly rotate malicious binaries while evading traditional file-based detection.

Technical Analysis & Remediations

MITRE ATT&CK Mapping

T1059.005
(Command and Scripting Interpreter: Visual Basic) - Use of VBS loaders.

T1059.001
(Command and Scripting Interpreter: PowerShell) - Fileless delivery mechanism.

T1027
(Obfuscated Files or Information) - Unicode obfuscation in VBS and Base64-encoded payloads hidden within PNG image data (Steganography).

T1620
(Reflective Code Loading) - Loading the PhantomVAI .NET assembly directly into memory via Reflection.Assembly::Load.

T1053.005
(Scheduled Task/Job: Scheduled Task) - The structure suggests persistence is achieved via scheduled tasks.

T1548.002
(Bypass User Account Control) - Use of a UAC Bypass DLL (UAC.dll).

CVE Profile
Unknown [NVD Score] + Unknown
[CISA KEV Status: Inactive].
(Source telemetry does not identify specific vulnerability exploitation; relies on script execution).

Telemetry

Name_File.vbs
MSI_PRO_with_b64.png (a4a3d9ac1df13736a29a615fc86b5f3835aba11d)

johnremcos.txt (ffe9a4a3daaa5773e324014d0282d4c6bbbc1da2)

UAC.dll (a55d61fb7fe814afeab4f4d7f42be4cf60609414)

Invoice-JL1852586778.pdf.zip (98CDFB464D8A98E07479909DD1DB04EEC849E94E)

Domains/URLs
news4me[.]xyz

bacteria-spent-endless-grammar.trycloudflare[.]com

tammhdka[.]pro:5590

Remediation - THE ENTERPRISE TRACK (NIST SP 800-61r3 / CSF 2.0)

GOVERN (GV) – Crisis Management & Oversight

Command
Initiate incident response protocols if endpoint telemetry indicates successful execution of the VBS payload or outbound connections to the identified Cloudflare domains.

DETECT (DE) – Monitoring & Analysis

Command
Deploy hunting queries across EDR telemetry for PowerShell executions containing Net.WebClient combined with external requests for .png or .txt files.

Command
Monitor network logs for connections to .xyz domains and Cloudflare tunnels (*.trycloudflare.com) exhibiting anomalous traffic patterns.

RESPOND (RS) – Mitigation & Containment

Command
Quarantine any host where Name_File.vbs or related scripts executed successfully.

Command
Block known attacker domains (news4me[.]xyz, tammhdka[.]pro, tammhdka[.]cloud) at the perimeter firewall and DNS sinkholes.

RECOVER (RC) – Restoration & Trust

Command
Reimage confirmed compromised hosts, as the fileless nature of PhantomVAI and secondary deployments of Remcos/XWorm complicate guaranteed eradication.

IDENTIFY & PROTECT (ID/PR) – The Feedback Loop

Command
Restrict the execution of .vbs and .bat files from user-writable directories (e.g., \Users\Public\Downloads\) via AppLocker or Windows Defender Application Control (WDAC).

Command
Enforce Constrained Language Mode for PowerShell to limit the capabilities of fileless loaders.

Remediation - THE HOME USER TRACK (Safety Focus)

Priority 1: Safety

Command
Disconnect from the internet immediately if you suspect you have opened a fake invoice file or script from your Downloads folder.

Command
Do not log into banking/email until verified clean.

Priority 2: Identity

Command
Reset passwords/MFA using a known clean device (e.g., phone on 5G), as InfoStealers and RATs (like Remcos) may have compromised local credentials.

Priority 3: Persistence

Command
Check Scheduled Tasks, Startup Folders, and Browser Extensions for anomalous entries, as the loader attempts to establish persistence here.

Command
Run a full system scan using Microsoft Defender or a reputable third-party antivirus, ensuring definitions are up to date.

Hardening & References

Baseline
Align configurations with CIS Microsoft Windows Desktop Benchmarks, specifically regarding script host isolation and PowerShell execution policies.

Framework
NIST CSF 2.0 / SP 800-61r3.

Reference
Network filtering should restrict WebDAV traffic (DavWWWRoot) to external untrusted domains, as this was observed in the secondary infection vector.

Source
Levelblue

 

[Halp2001]

What this report teaches us everyday users is that malware isn't always an obvious, suspicious '.exe' file anymore. Now it disguises itself as simple images or scripts that look harmless. The big takeaway here is healthy skepticism: if you receive an invoice or a file you weren't expecting, it doesn't matter if it looks like an image or a text document—if you didn't ask for it, don't open it. In cybersecurity, curiosity is the attacker's best ally.