VileRAT Attacking Windows Machines via Malicious Software
A new variant of VileRAT is being distributed through fake software pirate websites to infect Windows systems on a large scale.
This Python-based VileRAT malware family is believed to be specific to the Evilnum threat group, DeathStalker, which has been active since August 2023.
It is frequently observed being spread by the VileLoader loader, which is designed to run VileRAT in-memory and limit on-disk artifacts.
It functions similarly to conventional remote access tools, allowing attackers to record keystrokes, run commands, and obtain information remotely. Because VileRAT is extensible and modular, actors can use the framework to implement new features.
According to public reports, Evilnum is a hacker-for-hire service with a history of attacking governments, legal offices, financial institutions, and cryptocurrency-related organizations in the Middle East, the UK, the EU, and the Americas.
Trustifi’s Advanced threat protection prevents the widest spectrum of sophisticated attacks before they reach a user’s mailbox. Try Trustifi Free Threat Scan with Sophisticated AI-Powered Email Protection .
New Variants of VileRAT
Researchers at Stairwell have seen new activity and VileRAT variants spread through modified, legitimate installers that also carry VileLoader.
Kaspersky reported that in the past, the infection was distributed via malicious documents and LNK files, as well as utilizing companies’ public chatbots.
It relies on a malicious Nulloy media player installer that is used to deploy VileLoader. VileLoader is packaged in the Nulloy installer and launched by the NSIS install script.
This copy of VileLoader (NvStTest.exe) is a modified version of a legitimate NVIDIA 3D Vision Test Application.
“VileRAT’s core component is stored in a compressed, Xored, and base64 encoded buffer within the payload unpacked from VileLoader. The decoded output contains a JSON configuration for the implant, containing the time VileRAT was started, control servers, and the encryption key for C2 communication, ” researchers explain.
