Hidden in the Crowd: The Risk of Group-Delivered Malware

November 6, 2024

Author: Max Gannon

In most cases, threat actors make use of one or more delivery mechanisms to place a single malware sample on a victim’s computer. This is because most of the time only that one file is needed to completely compromise a computer and, in many cases, other computers on the same network. In more rare cases, a single threat actor will deliver malware such as a Remote Access Trojan (RAT) and a Keylogger or Information Stealer to complement the RAT and harvest information that the RAT may have difficulty collecting without being detected. Even less frequently a threat actor will deliver a Loader or RAT and use it to install additional malware that they do not directly control. While this malware may sometimes be a Keylogger or Information Stealer, the information and data exfiltrated by it is not collected by the threat actor behind the original infection. This is because the original threat actor has acted as an Initial Access Broker (IAB) and sold access to the infected computer or network to a different threat actor. This is a method commonly used to deliver Ransomware. 

This report discusses some of the top combinations of malware seen from October 2022 to October 2024. Although some of these malware combinations appear to be used to complement each other and are likely controlled by the same threat actor, others appear to be instances where a threat actor has made a partnership to deliver another threat actor’s malware.

Malware Families

Given the time frame covered in this report there are a large number of malware families involved. A brief description of the top 10 malware families seen delivered in groups is provided below. It is worth noting that because each of the RATs described here is capable of loading additional malware when given a command from its C2, each RAT can also be assumed to act as a limited Loader. The biggest difference between a Loader (malware which is intentionally designed to load and run additional malware) and a RAT that has the capability to load additional malware is that a Loader has additional capabilities like running the loaded malware in memory with privilege escalation using methods that make it difficult to detect whereas a RAT will typically download an executable or script to disk and then run it.

Agent Tesla Keylogger

Agent Tesla is a Keylogger written in .NET. It can monitor keystrokes, take screenshots, steal passwords from a variety of applications, and exfiltrate this data back to the threat actor using multiple different methods. Though it has been regularly used by threat actors over the past eight years, its usage soared in late 2020 and early 2021. Although it is becoming less common in Secure Email Gateway (SEG) protected environments it is still a threat and is commonly used by a wide variety of threat actors. For more information, our malware baseline on Agent Tesla Keylogger is available here.

Anarchy RAT

Anarchy RAT, also called Anarchy Panel HVNC RAT, includes Information Stealer, RAT, and Hidden Virtual Network Computing (HVNC) components. It has a suite of functionalities with a focus on enabling undetectable HVNC access. The Anarchy Stealer component is the one most often seen in the wild. As it is a RAT, Anarchy RAT does have the ability to load additional malware, however, threat actors using it most often focus on the Information Stealer and HVNC aspects of it.

Async RAT

Async RAT is a very basic but widely used RAT. Although it was created in 2019, the publicly available version has seen few significant updates since. It has many derivative malware families including DcRAT and Venom RAT that also see widespread usage and is common in both home user and large enterprise environments. Because Async RAT is so basic, it has relatively few options that enable it to bypass Endpoint Detection and Response (EDR) tools, therefore it does not typically last long in enterprise environments. However, it can perform several potentially damaging actions before it is detected. It has seen wide use by both Advanced Persistent Threat (APT) groups as well as more inexperienced threat actors for everything from basic monitoring to delivering Ransomware.

DcRAT

DcRAT is based on Async RAT and is capable of taking control of a user's system, logging keystrokes, stealing passwords, and many other capabilities. DcRAT is intended to be harder to detect than Async RAT and has some additional functionalities such as a Discord credential recovery option. Despite the creators' intentions, DcRAT is often detected as Async RAT, and configuration extractors that work on Async RAT will also often work on DcRAT. DcRAT is a less common malware family than Async RAT, but it still sees relatively widespread usage.

FormBook

FormBook consistently placed in the top 5 malware families most commonly seen by Cofense Intelligence for much of 2022 and 2023. FormBook, which is known for being a form grabber, first appeared for sale in early 2016, and more recently it was updated and rebranded as XLoader in late 2020. It is simple, easy to use, has many capabilities, and is highly popular. What differentiates it from other Information Stealers is its specialty with stealing form fill information stored in browsers that is too complex for many other Information Stealers which would fail to process it.

Loda

Loda is a multifunctional malware Loader and RAT with extensive capabilities for gathering and exfiltrating victim information from infected computers. It is a modular malware capable of many different tasks including logging keystrokes, stealing browser credentials, collecting passwords from FTP, IM, and email clients, and loading additional malware. Although most often seen being used as a RAT its capabilities as a Loader make it better suited for loading additional malware than most RATs.

Venom RAT

Venom RAT is a DDoS capable, multi-functional RAT with keylogging, basic information stealing, and VNC features. It is related to Quasar RAT, Async RAT, and the Async RAT derivative DcRAT. It claims to be most heavily related to Quasar RAT while having the additional capabilities of acting as a rootkit, VNC, RDP, and more developed credential theft. Like most RATs, it is technically capable of loading additional malware by manually providing command line arguments but does not have a specific command to do so.

Vjw0rm

Vengeance Justice Worm (Vjw0rm) is a publicly available, modular JavaScript RAT. Users are able to include modules for such functionality as propagation, denial of service, and the ability to act as an intermediate downloader for further payloads. It was particularly popular in 2022, but it has seen a significant decline in popularity. Vjw0rm makes use of the User-Agent field when exfiltrating stolen information. This was previously very popular, but with EDR’s continually improving ability to monitor User-Agents, this has become less effective. Like most RATs, it is technically capable of loading additional malware by manually providing command line arguments but does not have a specific command to do so.

WSH RAT

WSH RAT is a variant of H-worm and, unlike H-worm, continues to be relatively popular. WSH RAT behaves in much the same way as H-worm, including the use of the same configuration structure. WSH RAT has many different capabilities including keylogging, browser password scraping, and the ability to download and run additional files. WSH RAT has also been seen downloading and executing third party tools for further exploitation of the endpoint. WSH RAT is typically an obfuscated .vbs file but can also be a .js file. Like most RATs it is technically capable of loading additional malware by manually providing command line arguments. It differs from most of the RATs listed here in that it has specific functionality to load additional malware.

XWorm RAT

XWorm RAT is a RAT that can perform webcam and microphone monitoring, clipboard management, USB spreading, DDoS attacks, ransomware, HVNC, and more. It is often used to log keystrokes and capture screenshots. Like most RATs it is technically capable of loading additional malware by manually providing command line arguments, but it also has specific commands to download and run files both from disk and in memory.

Groups

When malware is delivered in a group it most often consists of a RAT or Loader which runs 1 additional malware family. Recently, cases of multiple malware families being run together have become more common, but this is only within the last eight months. When run together, it is common for all of them to be run in memory and injected into legitimate processes like notepad.exe, however sets of files may also be dropped to disk and executed in rare occasions. The following are some of the most common groups of malware seen from October 2022 to October 2024.

Agent Tesla Keylogger with Quasar RAT

Campaigns delivering Agent Tesla Keylogger and Quasar RAT together were particularly common in Q4 of 2022. These campaigns were typically Finance-themed and utilized an attached DotNETLoader to deliver both malware families and run them in memory. These campaigns were likely conducted by the same threat actor as the Quasar RAT samples all utilized the same C2, 37[.]139[.]128[.]94:5000. While the Quasar RAT samples were consistent, the Agent Tesla Keylogger samples used both email addresses, which are the most common method, and URLs, which are particularly rare, for data exfiltration.

Async RAT with Quasar RAT or XWorm RAT

In January of 2023, there were several phishing campaigns utilizing a OneNote file and a Malicious Batch Script to deliver Async RAT. Async RAT was then used to deliver DBat Loader, which then delivered one or more additional RATs. The use of OneNote files was very unusual, and using Async RAT to deliver DBat Loader was even more unusual, which made these campaigns stand out. The RAT most frequently delivered by DBat Loader in these campaigns was Quasar RAT. In all cases of the campaign, both Async RAT and Quasar RAT were run in memory which would make detection of this campaign by EDR difficult. In Q2 2024, campaigns delivering both Async RAT and XWorm RAT became more common. These campaigns were typically Finance-themed and continued to run the RATs in memory, making EDR detection difficult. They also made use of .url, .lnk, .bat, and Python files, and were among the first of this type of campaign. Campaigns like this were later developed into larger scale campaigns delivering up to five different malware families.

ConnectWise RAT with Async RAT

ConnectWise is a known, technically legitimate, Remote Access Tool. However, it is so frequently repurposed and used maliciously by threat actors that it is often referred to as a Remote Access Trojan (RAT). Several Notification-themed campaigns occurring from late Q2 2024 to late Q3 2024 made use of ConnectWise RAT to deliver Async RAT. In these campaigns, ConnectWise RAT would be delivered via either an embedded URL or an attached HTML file. ConnectWise RAT would make contact with its C2 and download a script such as a WSF, PowerShell, or VBS which ConnectWise RAT would then use to run Async RAT in memory. ConnectWise RAT is a multipurpose RAT and has been seen downloading other malware such as XWorm RAT, but this sustained campaign of it delivering only Async RAT was noteworthy as it indicated that the owners of the ConnectWise RAT binaries were likely selling access to the infected computers to a different threat actor. An example of one of the campaigns using ConnectWise RAT to deliver Async RAT can be seen in Figure 1.

Hidden-in-the-Crowd-The-Risk-of-Group-Delivered-Malware-Figure1.PNG

Figure 1: A sample of the emails delivering ConnectWise RAT which eventually delivered Async RAT.

Loda with XRed Backdoor

In a series of Finance-themed campaigns from late Q1 2024 to late Q3 2024, threat actors delivered both Loda and XRed Backdoor together using a Delphi Loader. The executables were often even in the same downloaded archive. This is unusual as Loda is often used to load additional malware. The fact that the threat actors were making it run concurrently with XRed Backdoor was a surprising choice on the threat actor’s part. The most likely explanation is that the threat actor feared Loda would either be detected and deleted or have its network traffic be blocked, making successful payload deployment unlikely. Either of these scenarios being reasonably possible make it a better choice to directly deliver XRed Backdoor instead of relying on Loda to deliver it. Another unusual aspect of this campaign was that although the Loda C2s were the same in every case, making the campaigns clearly connected, the languages of the campaigns included Thai, Spanish, and English rather than using just one language as is typically the case. An example of one of the campaigns delivering both Loda and XRed Backdoor can be seen in Figure 2.

Hidden-in-the-Crowd-The-Risk-of-Group-Delivered-Malware-Figure2.PNG

Figure 2: Sample email of the campaign delivering both Loda and XRed Backdoor.

Vjw0rm with Async RAT, FormBook, or WSH RAT

Vjw0rm is a relatively simple and straightforward RAT which was particularly popular in the latter half of 2022. A series of Finance-themed campaigns in Q4 2022 saw it directly delivering Async RAT. Rather than a C2 directing Vjw0rm to download and execute an Async RAT binary, the script file running Vjw0rm unpacked a section of itself to drop and run Async RAT. This behavior is unusual, as it indicates that the threat actor behind the delivery of Vjw0rm intended for Async RAT to also be delivered by default. The C2 used by Vjw0rm in all of these campaigns was the same while the C2s used by Async RAT were all different.

Another series of campaigns from late Q2 2022 to Q4 2022 saw Vjw0rm being used to deliver FormBook. Much like the campaigns delivering Async RAT, the FormBook binary was embedded in the script used to run Vjw0rm. The Vjw0rm samples in these campaigns also used the same C2 as the Vjw0rm samples seen delivering Async RAT, making it likely that these campaigns were being operated by the same threat actor. The only other difference between these campaigns is that the Vjw0rm samples seen delivering FormBook also made use of multiple additional JavaScript files rather than being much more limited like the ones seen delivering Async RAT.

The last connected campaign of Vjw0rm being used to deliver malware was a large number of campaigns in Q4 2022 which saw Vjw0rm using the same C2 but delivering WSH RAT. Yet again, the WSH RAT binaries were embedded in the scripts used to run Vjw0rm. Similar to the Async RAT campaigns, the WSH RAT C2s were also not consistent, using different dynamic DNS domains and ports. Based on the fact that the Vjw0rm C2s are the same in all instances but the Async RAT, FormBook, and WSH RAT C2s are not, it is plausible that the threat actors behind Vjw0rm sold access to machines before the Vjw0rm infection even took place.

WSH RAT with Agent Tesla Keylogger

In Q3 and Q4 of 2023 a series of WSH RAT campaigns were seen delivering Agent Tesla Keylogger. The majority of the WSH RAT campaigns shared a C2 and they were all Finance-themed. Much like the Vjw0rm campaigns of 2022, the scripts used to run WSH RAT also contained an embedded Agent Tesla Keylogger executable. Although the WSH RAT script was sometimes delivered directly, when it was delivered by a delivery mechanism such as a JSDropper or VBS it often was hosted on grapemundo[.]com, further linking the campaigns together. The Agent Tesla Keylogger C2s were not consistent across these campaigns making it likely that, much like in the Vjw0rm campaigns, the threat actors behind the WSH RAT campaigns were selling access rather than installing additional malware to work for them.

XWorm RAT with DcRAT, Venom RAT, Pure Logs Stealer, Async RAT, Anarchy RAT, and Waltuhium Grabber

A series of ongoing SEG bypassing campaigns with various RATs and Information Stealers began in early 2024. The campaign has been seen using German, Italian, and English but focuses primarily on English language users. The campaigns typically begin with a .lnk or .url file that is downloaded via an embedded URL. In some cases, the embedded URL leads to a site that copies a PowerShell command to the clipboard and encourages the victim to execute it. Out of all possible methods to initiate the infection, a downloaded URL file is currently the most common. Following a series of scripts, these campaigns typically deliver an archive containing several legitimate Python scripts and the relevant files to run them. These Python scripts launch a legitimate process, typically notepad.exe, and then inject malware into the process. There are a large number of potential malware families, but the most common are XWorm RAT, DcRAT, Venom RAT, Pure Logs Stealer, Async RAT, Anarchy RAT, and Waltuhium Grabber. These campaigns typically host their intermediary script files as well as the Python files on a subdomain of trycloudflare[.]com. These campaigns are unusual not only because of their various delivery methods but also because there are so many RATs involved. Typically, a single RAT is all that is needed as multiple RATs can get in each other’s way. The use of multiple RATs, which typically also use different C2s rather than the same C2 on different ports, indicates that the threat actors may not be using the RATs themselves but rather selling the access to other threat actors. An example of one of the campaigns delivering XWorm RAT with Venom RAT, Anarchy RAT, and Waltuhium Grabber can be seen in Figure 3.

Hidden-in-the-Crowd-The-Risk-of-Group-Delivered-Malware-Figure3.PNG

Figure 3: Sample email of the campaign delivering XWorm RAT with Venom RAT, Anarchy RAT, and Waltuhium Grabber.