VileRAT Attacking Windows Machines via Malicious Software

A new variant of VileRAT is being distributed through fake software pirate websites to infect Windows systems on a large scale.

This Python-based VileRAT malware family is believed to be specific to the Evilnum threat group, DeathStalker, which has been active since August 2023.

It is frequently observed being spread by the VileLoader loader, which is designed to run VileRAT in-memory and limit on-disk artifacts. 

It functions similarly to conventional remote access tools, allowing attackers to record keystrokes, run commands, and obtain information remotely. Because VileRAT is extensible and modular, actors can use the framework to implement new features.

According to public reports, Evilnum is a hacker-for-hire service with a history of attacking governments, legal offices, financial institutions, and cryptocurrency-related organizations in the Middle East, the UK, the EU, and the Americas.

Document
Run Free ThreatScan on Your Mailbox

AI-Powered Protection for Business Email Security

Trustifi’s Advanced threat protection prevents the widest spectrum of sophisticated attacks before they reach a user’s mailbox. Try Trustifi Free Threat Scan with Sophisticated AI-Powered Email Protection .

New Variants of VileRAT

Researchers at Stairwell have seen new activity and VileRAT variants spread through modified, legitimate installers that also carry VileLoader.

Kaspersky reported that in the past, the infection was distributed via malicious documents and LNK files, as well as utilizing companies’ public chatbots. 

New TTP in contrast with their past use of malicious documents
New TTP in contrast with their past use of malicious documents

It relies on a malicious Nulloy media player installer that is used to deploy VileLoader. VileLoader is packaged in the Nulloy installer and launched by the NSIS install script.

NSIS install script
NSIS install script

This copy of VileLoader (NvStTest.exe) is a modified version of a legitimate NVIDIA 3D Vision Test Application.

“VileRAT’s core component is stored in a compressed, Xored, and base64 encoded buffer within the payload unpacked from VileLoader. The decoded output contains a JSON configuration for the implant, containing the time VileRAT was started, control servers, and the encryption key for C2 communication, ” researchers explain.

Final Words

Evilnum has previously employed spear phishing as its main approach for targeting and gathering private financial data.

As of now, researchers estimated that between 1,000 and 10,000 devices are infected overall with this VileRAT strain. 

Although highly skilled threat actors like OnionDuke and APT37 have used software piracy to conduct extensive exploitation campaigns, Evilnum’s observation marks a notable departure from their previously disclosed strategies.

Sujatha is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under her belt in Cyber Security, she is covering Cyber Security News, technology and other news.