In 2023, FortiGuard Labs uncovered the 8220 Gang’s utilization of ScrubCrypt to launch attacks targeting exploitable Oracle WebLogic Servers. ScrubCrypt has been described as an “antivirus evasion tool” that converts executables into undetectable batch files. It offers several options to manipulate malware, making it more challenging for antivirus products to detect. Analysts recently discovered a threat actor distributing a phishing email containing malicious Scalable Vector Graphics (SVG) files. The email lures victims into clicking on an attachment, which downloads a ZIP file containing a Batch file obfuscated with the BatCloak tool. ScrubCrypt is then used to load the final payload, VenomRAT while maintaining a connection with a command and control (C2) server to install plugins on victims’ environments. The plugin files downloaded from the C2 server include VenomRAT version 6, Remcos, XWorm, NanoCore, and a stealer designed for specific crypto wallets.
The link to the full report detailed insights into how the threat actor distributes VenomRAT and other plugins: IR-24-100-001_VenomRAT.pdf
Comments