Date: 03/17/2025
Severity: High
Summary
The blog post discusses how threat actors use Virtual Hard Disk (VHD) image files to deliver and distribute VenomRAT malware. The campaign begins with a phishing email that lures victims with a purchase order attachment. When extracted, the email contains a VHD file that mounts itself as a virtual drive. Inside, a batch script runs malicious activities using PowerShell, exfiltrates sensitive data, and communicates with Command and Control servers. This method allows malware to bypass traditional security measures and infect systems.
Indicators of Compromise (IOC) List
URL/Domain | https://Pastebin.com/raw/i3NzmwEg ggggg.gettt |
IP Address | 81.19.131.153 217.64.148.159 |
Hash | 74262a750437b80ed15aeca462172b50d87096e5 df9fb41bffbb7479776d1d9a1eecdbb94abdf99b ae467b8593e340194dc73dc3db6363c3e73ca970 ddc7315a3903974624dfd750a374c37c9c67c6dd |
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Detection Query 1 | userdomainname like "ggggg.gettt" or url like "ggggg.gettt" or userdomainname like "https://Pastebin.com/raw/i3NzmwEg" or url like "https://Pastebin.com/raw/i3NzmwEg" |
Detection Query 2 | dstipaddress IN ("217.64.148.159","81.19.131.153") or ipaddress IN ("217.64.148.159","81.19.131.153") or publicipaddress IN ("217.64.148.159","81.19.131.153") or srcipaddress IN ("217.64.148.159","81.19.131.153") |
Detection Query 3 | sha1hash IN ("df9fb41bffbb7479776d1d9a1eecdbb94abdf99b","ae467b8593e340194dc73dc3db6363c3e73ca970","74262a750437b80ed15aeca462172b50d87096e5","ddc7315a3903974624dfd750a374c37c9c67c6dd") |
Reference:
https://www.forcepoint.com/blog/x-labs/venomrat-malware-uses-virtual-hard-drives