VileRAT Updated to Target More Cryptocurrency Exchanges

What’s the new update?

• According to the researchers from Securelist, DeathStalker has been updating the features of VileRAT through 2021, with the latest update observed in June 2022.
• Several new samples of the trojan with new infrastructure have been identified since March 2022, which indicates an increase in compromise attempts. 
• There has also been a change in the infection vector that had initially started with links to a malicious file hosted on Google Drive. In 2021, malicious Word documents were used instead of URLs to drop the malware.
• However, from July 2022, the attackers have begun leveraging chatbots on targeted companies’ websites to send malicious documents. The documents are named with keywords such as ‘compliance’ or ‘complaint.’

VileRAT dropped using VileDropper

• The campaign uses the VBA stomping technique to conceal the macros embedded within malicious documents.
• These macros, when enabled, ultimately execute a malicious obfuscated JavaScript backdoor called VileDropper. Later this VileDropper is scheduled to drop VileRAT. 

VileRAT versions and functionalities

• Researchers have obtained various versions of VileRAT, ranging from 2.4 to 8. Some of the functionalities are similar across all the samples. 
• While some are dropped by leveraging SSH as a C2 channel or screenshotting, the latest versions are deployed using VileLoader.
• The primary functionality of VileRAT includes keylogging, executing arbitrary code, listing security solutions from targeted systems, and self-updating from a C2 server. 
• So far, the victims of DeathStalker’s VileRAT are foreign exchange and cryptocurrency organizations in Bulgaria, Cyprus, Germany, Kuwait, the UAE, Malta, and the Russian Federation. 

Conclusion