![Apple C1 vs Qualcomm Modem Performance [Speedtest]](https://www.iclarified.com/images/news/96767/96767/96767-640.jpg)
![Apple Studio Display On Sale for $1249 [Lowest Price Ever]](https://www.iclarified.com/images/news/96770/96770/96770-640.jpg)
![[Fixed] Chromecast (2nd gen) and Audio can’t Cast in ‘Untrusted’ outage](https://i0.wp.com/9to5google.com/wp-content/uploads/sites/4/2019/08/chromecast_audio_1.jpg?resize=1200%2C628&quality=82&strip=all&ssl=1)
-xl-xl.jpg){kind=icon}
![[The AI Show Episode 139]: The Government Knows AGI Is Coming, Superintelligence Strategy, OpenAI’s $20,000 Per Month Agents & Top 100 Gen AI Apps](https://www.marketingaiinstitute.com/hubfs/ep%20139%20cover-2.png)
![[The AI Show Episode 138]: Introducing GPT-4.5, Claude 3.7 Sonnet, Alexa+, Deep Research Now in ChatGPT Plus & How AI Is Disrupting Writing](https://www.marketingaiinstitute.com/hubfs/ep%20138%20cover.png)
![Is XMPP a good option for a messaging system in an app? [closed]](https://cdn.sstatic.net/Sites/softwareengineering/Img/apple-touch-icon@2.png?v=1ef7363febba)
Hacker Weaponizing Hard Disk Image Files To Deliver VenomRAT
A sophisticated phishing campaign is leveraging virtual hard disk (.vhd) files to distribute the dangerous VenomRAT malware. The attack begins with purchase order-themed emails containing archive attachments that, when extracted, reveal hard disk image files designed to evade traditional security measures. Upon opening, the .vhd file mounts itself as a disk drive containing a heavily […] The post Hacker Weaponizing Hard Disk Image Files To Deliver VenomRAT appeared first on Cyber Security News.
A sophisticated phishing campaign is leveraging virtual hard disk (.vhd) files to distribute the dangerous VenomRAT malware.
The attack begins with purchase order-themed emails containing archive attachments that, when extracted, reveal hard disk image files designed to evade traditional security measures.
.webp)
Upon opening, the .vhd file mounts itself as a disk drive containing a heavily obfuscated batch script that performs malicious activities using PowerShell.
The batch file contains multiple layers of obfuscation including garbage characters, Base64 encoding, and AES encryption.
Forcepoint researchers identified that once executed, the malware creates a copy of itself in “C:\Users\%userprofile%\dwm.bat” and opens PowerShell to execute additional commands.
The script then modifies registry entries to ensure persistence on the infected system.
The attack chain continues as the malware drops additional files into the StartUp folder and connects to Pastebin.com where command and control server information is stored.
These techniques help the malware establish a foothold and maintain communication with its operators.
Analysis VenomRAT
Analysis of the payload reveals it is VenomRAT version 6.0.3, which includes HVNC (Hidden Virtual Network Computing) service capabilities for remote system control.
.webp)
The malware drops a DataLogs.conf file in “C:\Users\%userprofile%\AppData\Roaming\MyData\” to capture keystrokes and other sensitive information.
.webp)
This configuration file contains an AES encryption key “a487de3093a5DGe47d49bc0733cbcleMec5Ed75adee513c39017e977a04597dr” with a salt value of “VenombatzyVeacon”, which the malware uses for secure communication with its command servers.
Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free
The post Hacker Weaponizing Hard Disk Image Files To Deliver VenomRAT appeared first on Cyber Security News.
