VileLoader

Back in the summer of 2020, DeathStalker’s VileRAT initial infection consisted in spear-phishing emails sent to foreign exchange companies... More recently... the initial infection vector is still a malicious message: a Word document (DOCX) is sent to targets via email.

VileDropper... schedules a task to run VileLoader 35 to 65 seconds later, then indefinitely every three hours and 45 minutes... VileRAT functionalities include... Setting up persistence using scheduled tasks.

Based on public reports and observed filenames, we believe that this variant is being distributed through fake software piracy sites in order to broadly infect systems.

VileDropper... schedules a task to run VileLoader 35 to 65 seconds later, then indefinitely every three hours and 45 minutes... VileRAT functionalities include... Setting up persistence using scheduled tasks.

VileDropper... schedules a task to run VileLoader 35 to 65 seconds later, then indefinitely every three hours and 45 minutes... VileRAT functionalities include... Setting up persistence using scheduled tasks.

VileLoader then opens its encoded companion shellcode file... maps the deobfuscated data in a region with read, write and execute (RWX) permissions, and runs the next stage (stage 2) by starting a new thread.

This payload and its filename are both obfuscated using XOR-based encoding methods... VileRAT’s core component is stored in a compressed, Xored, and base64 encoded buffer...

When executed, it validates the passed command line argument ... before dynamically resolving imports related to file loading and process execution.

Stairwell has observed new activity and has identified new variants of VileRAT being deployed by modified versions of legitimate installers that contain VileLoader.

VileLoader then opens its encoded companion shellcode file... maps the deobfuscated data in a region with read, write and execute (RWX) permissions, and runs the next stage (stage 2) by starting a new thread.

This NSIS Installer was signed on 13 August 2023 13:21:00 UTC from GLOSUB LLC.

This malware is consistently seen being deployed by an accompanying loader known as VileLoader, used to run VileRAT in-memory, limiting on-disk artifacts.

the DOTM-embedded macro silently gathers information about security products that are installed on the target computer... VileDropper: gathers additional data on the targeted environment... The JSON that is passed to the C2 server can be broken down as follows... host, uname, Windows version.

If the C2 server answers with an implant package... contains one or several “files” with the following additional metadata: A CSIDL value... A subdirectory name; A file name...

If the C2 server requests a screenshot, then VileLoader stage 2 sends an HTTP POST request... The associated HTTP POST body data is an encoded JPEG screenshot.

The useful information is stored as a JSON document... and set as a cookie value in the HTTP request... VileLoader stage 2 sends an HTTP POST request with a cookie whose value is a XORed JSON dictionary.

VileDropper sends data to a C2 server using an HTTP GET request... VileLoader’s second stage builds an HTTP GET request... VileRAT tries to send an HTTP POST request to each of the C2 servers that exist in its configuration.

VileLoader’s main goal is to download and execute an additional payload from a C2 server... If the C2 server answers with an implant package, it sends a Type D XORed blob... contains one or several “files”... Finally, the last dropped file is also immediately executed.

The useful information is stored as a JSON document, which is then XOR-encoded, base64-encoded, URL-encoded... The encrypted blob (cookie value) is initially a JSON dictionary, encrypted with the RC4 algorithm, XORed, base64-encoded and URL-encoded.