VileRAT Malware Used to Target Crypto Trading Companies
VileRAT is the name of a piece of multi-functional malware that was used to target a number of entities located in European and Middle-Eastern countries over the course of the last 12 months.
VileRAT was responsible for attacks primarily on foreign exchange and cryptocurrency trading entities and organizations. The malware is linked to the threat actor known by the alias of DeathStalker.
VileRAT uses an infection chain that commonly starts with a malicious Office file. The infection relies on injecting malicious macros injected from a remote DOTM template.
The next step of the chain involves the VileDropper component of the malware, which relies on obfuscated JavaScript code used to deliver the VileLoader module. Ultimately, VileLoader is responsible for downloading and executing the final VileRAT payload.
VileRAT itself has a very versatile toolkit at its disposal. It can execute arbitrary commands, log keystrokes, establish persistence through scheduled tasks, list anti-malware software installed on the victim system and update itself from its command and control servers, as well as delete files.
VileRAT has been used in attacks on targets located in several European countries, including Russia, as well as against targets in Kuwait and the United Arab Emirates.