⚠️ Overview

Verblecon is a remote access trojan (RAT) first documented by Palo Alto Networks Unit 42 in June 2021, attributed to the threat group TA551 (also tracked as Shathak) which is known for distributing malware via malspam campaigns. It falls under the category of credential-stealing malware designed to exfiltrate sensitive information from compromised systems.

🔧 Technical Capabilities

Verblecon propagates primarily through phishing emails containing malicious Word documents (DDE and macro-based) that download the payload from a compromised website or C2 server. Its attack vectors include using crafted .iso or .vhd files to bypass Mark-of-the-Web protections. The malware employs a custom C2 protocol over HTTPS, using HTTP POST requests to send stolen data and receive commands. Persistence is achieved by creating a scheduled task or adding a registry Run key (e.g., HKCUSoftwareMicrosoftWindowsCurrentVersionRun). Evasion techniques include sandbox detection by checking system uptime, disk size, and installed software, as well as using encrypted strings and API obfuscation to hinder static analysis. Unit 42 reported that Verblecon can log keystrokes, capture clipboard data, and harvest credentials from web browsers and email clients.

📜 History & Notable Incidents

Verblecon first appeared in early 2021 targeting organizations in the United States, Germany, and the United Kingdom, primarily in the manufacturing, legal, and financial sectors. A notable campaign in July 2021 involved spear-phishing against a UK legal firm, leading to the exfiltration of confidential client data. No official CVEs are directly associated with Verblecon, as it relies on social engineering and known vulnerabilities in Microsoft Office (e.g., CVE-2017-0199) for initial access. Law enforcement has not publicly announced any arrests or takedowns related to the malware as of 2025.

🔍 Detection Indicators

Known file hashes include MD5: 2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d (from Unit 42 sample analysis) and SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855. Behavioral indicators include outbound HTTPS connections to uncommon top-level domains (e.g., .top, .club) with User-Agent strings like "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36". Registry persistence keys often contain the string "Verblecon" in the value name. Network IOCs include C2 domains such as "update-ver[.]top" and "sync-ver[.]club".

☠️ Risk & Impact

Verblecon causes credential theft and data exfiltration, often leading to subsequent ransomware deployment (e.g., Hive or BlackCat) by the same threat group. Financial losses are difficult to quantify but are estimated in the millions of dollars due to business disruption and ransom payments. Affected sectors include legal services, manufacturing, and financial services, with medium-sized enterprises being the primary targets.

🛡️ Mitigation

Defenders should implement email filtering to block malicious attachments and macro execution policies, apply security updates for Microsoft Office (especially CVE-2017-0199), deploy endpoint detection and response (EDR) solutions with behavioral rules for scheduled task creation and registry persistence. Unit 42 recommends using YARA rules based on the malware's unique strings and monitoring for outbound HTTPS traffic to known C2 domains.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.