Adrian Johnson
TLDR:
– A new variant of the VileRAT malware is being spread through fake software pirate websites, infecting Windows systems on a large scale.
– The Python-based VileRAT malware is specific to the Evilnum threat group, DeathStalker, which has been active since August 2023. It is distributed through the VileLoader loader, designed to run VileRAT in-memory and limit on-disk artifacts.
– VileRAT functions as a remote access tool, allowing attackers to record keystrokes, run commands, and obtain information remotely. It is extensible and modular, allowing actors to implement new features.
– Evilnum is a hacker-for-hire service known for attacking governments, legal offices, financial institutions, and cryptocurrency-related organizations in various regions.
– New variants of VileRAT have been observed, spread through modified installers that also carry VileLoader. The infection was previously distributed via malicious documents and LNK files.
– The new variant of VileRAT relies on a malicious Nulloy media player installer that carries VileLoader. VileLoader is packaged in the installer and launched by the NSIS install script.
– The core component of VileRAT is stored in a compressed, Xored, and base64 encoded buffer within the payload unpacked from VileLoader.
– Researchers estimate that between 1,000 and 10,000 devices are infected with this VileRAT strain.
A new variant of the VileRAT malware is being distributed through fake software pirate websites, infecting Windows systems on a large scale. This variant of VileRAT, which is specific to the Evilnum threat group, DeathStalker, is believed to have been active since August 2023. It is frequently spread by the VileLoader loader, which runs VileRAT in-memory to limit on-disk artifacts. VileRAT functions as a remote access tool, allowing attackers to record keystrokes, run commands, and obtain information remotely. It is also extensible and modular, enabling actors to implement new features.
Evilnum, the hacker-for-hire service behind this VileRAT variant, has a history of attacking governments, legal offices, financial institutions, and cryptocurrency-related organizations in the Middle East, UK, EU, and Americas. This new variant of VileRAT is being spread through modified installers that carry VileLoader. In the past, the infection was distributed via malicious documents and LNK files. However, this new variant relies on a malicious Nulloy media player installer that carries VileLoader. The NSIS install script launches VileLoader, which is a modified version of a legitimate NVIDIA 3D Vision Test Application. The core component of VileRAT is stored in a compressed, Xored, and base64 encoded buffer within the unpacked payload from VileLoader.
Researchers estimate that between 1,000 and 10,000 devices are infected with this VileRAT strain. The infection marks a departure from the previously disclosed strategies of skilled threat actors like OnionDuke and APT37, who have used software piracy to conduct extensive exploitation campaigns. The use of fake software pirate websites to distribute VileRAT shows a shift in tactics by Evilnum. It is important for users to be cautious when downloading software from unofficial sources to avoid falling victim to malicious malware like VileRAT.
