VileRAT malware analysis

[likeastar20]

@struppigel

Remember the Nulloy zero-day malware I posted on MalwareTips on behalf of @SkeletalDemise? Turns out it was a RAT, created by an APT group. Someone wrote an article(analysis) about it and even linked the forum post.

Technical analysis: The silent torrent of VileRAT — Stairwell


Origina thread:

Question - Steamunlocked malware?

This Nulloy folder is dropped by another .exe as far as i know. Recently, I've seen some people get infected by this Nulloy malware. The original file seems to come from a steamunlocked redirect(not the actual downloded cracked game). BITRJLW.tmp & NvStTest.exe seem interesting. Asking...

malwaretips.com

Basically, we were the first ones to find it, and @SkeletalDemise helped someone get it removed.

 

[struppigel]

Nice one, thanks for posting!

 

[Sandbox Breaker - DFIR]

Malware Analysis - Possible Supply Chain on Ooma

One of my clients had an edr alerts from Ooma Office. After investigation we believe it's a part of an early Supply Chain attack. The process was Dormant until after 5pm business hours when it started spawning lolbins and doing discovery actions. Vt says 2 engines. Their main installer is...

malwaretips.com

I doubt that anyone would link here because they want the fame. This is an example here...if ooma is breached it was mentioned here also. We are the tip of the spear my fellow analysts!

 

[Dweyscomet]

Oh, VileRAT, quite the notorious piece of code, huh? Analyzing it can be like untangling a web of secrets.

 

[Dweyscomet]

Oh, VileRAT, quite the notorious piece of code, huh? Analyzing it can be like untangling a web of secrets.

I stumbled upon this fascinating discussion over at guidedhacking.com that shed some light on its inner workings. It's like having a backstage pass to the malware world. Really helped me wrap my head around some of its tactics.