See what lengths hackers are willing to go to get your secrets.
SonicWall specialists have detected a new VioletRAT malware distribution campaign. The attack utilizes a multi-stage delivery chain and a complex Python-based code injection scheme. The attackers employ multiple stages of downloading and stealthily launching the payload to gain a foothold on the system and bypass Windows security mechanisms.
Distribution begins with an email containing an archive. Inside the archive is a highly obfuscated BAT file. The file is saved in UTF-16LE encoding, so when opened in a standard text editor, it displays as a jumble of gibberish. This technique obscures the script's contents and reduces the likelihood of detection.
Once launched, the BAT file silently launches PowerShell and opens google.com in the browser. The script then downloads the did.zip archive from cloud storage and saves it to the %USERPROFILE%/Contacts/dad directory. At the same time, an additional start.bat script is downloaded to the Windows startup folder, ensuring that the malicious code is re-executed each time the system starts.
The next step involves running the Python script stry.py. The archive contains several components: encrypted shellcode in the file nou.bin, decryption keys in a.txt, and a set of auxiliary Python libraries. The script masks data types, API names, and function parameters by assigning them different names. Internally, the tool calls itself Advanced Payload Executor.
The script collects keys from the a.txt file, concatenates them, and applies a series of transformations to decrypt the shellcode. First, the key is reversed, then an XOR operation is applied. The resulting compressed data block is decompressed using the zlib.decompress function. Once prepared, the code is injected into the explorer.exe process. It is launched via the ResumeThread and WaitForSingleObject system APIs.
The shellcode continues the stealth loading chain. The malicious code dynamically locates the addresses of functions in the ntdll.dll and kernel32.dll libraries. It then decrypts an additional data block and loads several libraries, including oleaut32.dll, mscoree.dll, wininet.dll, and ole32.dll. A separate stage is dedicated to disabling the AMSI mechanism, which is responsible for in-memory scanning. The code overwrites the AmsiScanBuffer and AmsiScanString functions so that the scan always returns a "safe" result.
After bypassing security mechanisms, the loader launches the .NET runtime directly within the process. It uses the CLR Hosting mechanism, which allows the native process to control the .NET runtime. The malicious module creates a new application domain and transfers the executable file to it, which is then executed via internal CLR mechanisms.
The final payload is the remote VioletRAT Trojan. This malware-as-a-service program allows the operator to fully control the infected system. The control panel includes device management functions, network tools, and the ability to interfere with Windows Defender.
According to SonicWall, the new bootloader scheme demonstrates the growing complexity of VioletRAT's infrastructure and more advanced methods for bypassing Windows security mechanisms.
SonicWall specialists have detected a new VioletRAT malware distribution campaign. The attack utilizes a multi-stage delivery chain and a complex Python-based code injection scheme. The attackers employ multiple stages of downloading and stealthily launching the payload to gain a foothold on the system and bypass Windows security mechanisms.
Distribution begins with an email containing an archive. Inside the archive is a highly obfuscated BAT file. The file is saved in UTF-16LE encoding, so when opened in a standard text editor, it displays as a jumble of gibberish. This technique obscures the script's contents and reduces the likelihood of detection.
Once launched, the BAT file silently launches PowerShell and opens google.com in the browser. The script then downloads the did.zip archive from cloud storage and saves it to the %USERPROFILE%/Contacts/dad directory. At the same time, an additional start.bat script is downloaded to the Windows startup folder, ensuring that the malicious code is re-executed each time the system starts.
The next step involves running the Python script stry.py. The archive contains several components: encrypted shellcode in the file nou.bin, decryption keys in a.txt, and a set of auxiliary Python libraries. The script masks data types, API names, and function parameters by assigning them different names. Internally, the tool calls itself Advanced Payload Executor.
The script collects keys from the a.txt file, concatenates them, and applies a series of transformations to decrypt the shellcode. First, the key is reversed, then an XOR operation is applied. The resulting compressed data block is decompressed using the zlib.decompress function. Once prepared, the code is injected into the explorer.exe process. It is launched via the ResumeThread and WaitForSingleObject system APIs.
The shellcode continues the stealth loading chain. The malicious code dynamically locates the addresses of functions in the ntdll.dll and kernel32.dll libraries. It then decrypts an additional data block and loads several libraries, including oleaut32.dll, mscoree.dll, wininet.dll, and ole32.dll. A separate stage is dedicated to disabling the AMSI mechanism, which is responsible for in-memory scanning. The code overwrites the AmsiScanBuffer and AmsiScanString functions so that the scan always returns a "safe" result.
After bypassing security mechanisms, the loader launches the .NET runtime directly within the process. It uses the CLR Hosting mechanism, which allows the native process to control the .NET runtime. The malicious module creates a new application domain and transfers the executable file to it, which is then executed via internal CLR mechanisms.
The final payload is the remote VioletRAT Trojan. This malware-as-a-service program allows the operator to fully control the infected system. The control panel includes device management functions, network tools, and the ability to interfere with Windows Defender.
According to SonicWall, the new bootloader scheme demonstrates the growing complexity of VioletRAT's infrastructure and more advanced methods for bypassing Windows security mechanisms.
