Trojan:Win32/VenomRat.RPX!MTB

The infection chain begins when a a malicious Excel file that was attached to a spam email is opened, and it then allows macros to start in an obfuscated way, VBA macro strip that downloads the main VenomRAT payload from a remote server. It has been observed that VenomRAT is downloaded from certain domains, from www[.]js-hurling[.]com and saved onto the targeted device into the %AppData% directory as ijii.exe. 

The downloaded file is classified as a .NET application that has been obfuscated using “Eazfuscator.NET” to make reverse-engineering or analysis more difficult. Once launched, the malware runs a decryption routine on an embedded resource that is encrypted using a 3DES encryption algorithm, at which point a malicious library loads directly into memory and deploys several components. One of the components is a rootkit that is based on the open source r77 project; this rootkit is designed to hide any files and/or processes that contain the $77 prefix in their respective names so that they are not noticed. 

To ensure it survives a reboot of Windows and gets elevated privileges, VenomRAT uses a method to bypass User Account Control (UAC) and modifies the Windows AppInit_DLLs registry auto-load mechanics to keep loading the rootkit files (r77-x86.dll and r77-x64.dll). It also sets persistence by creating a scheduled task called Windows.Gaming.Preview to run the malicious payload at three-minute intervals. For the purposes of data theft, Velos Stealer (one of the stealers included with the malware) collects information from web browsers (stored passwords, credit cards, cookies) and FileZilla connection logs, and files from the desktop, zipping up all of the stolen information into an archive with the name "Passwords.zip" for exfiltration. 

The malware also directly modifies various Windows settings by running scripts to turn on Remote Desktop Protocol (RDP) through registry modification, creates a new local user account named "Venom" where the password is "Venom", and modifies the Windows firewall to allow RDP traffic. For command and control, VenomRAT uses several communication methods: it pulls its operating command from a Pastebin URL, and it is configured to connect back to a main command and control (C2) server at the IP address 94[.]156.253[.]109. It also uses services such as ngrok[.]io.