Fileless Remcos RAT Malware Delivery

The ASEC analysis team identified that Remcos RAT malware is being distributed through malicious macros in Excel files. As for the malware, the team introduced it in detail in the post linked below this text. While the method of coming into the system through spam mails is the same as before, it should be noted that the Remcos RAT malware is ultimately delivered filelessly after going through multiple loader stages.

In summary, the overall operation method is as follows:

Figure 1. Operation process of fileless Remcos RAT malware

 

The attacker attaches Excel files that include malicious macros to e-mails for distribution, When the macro is executed, it uses PowerShell to download a JS file and additional data. Afterward, Remcos RAT malware is run with the method of being injected into the normal Windows process MSBuild.exe.

Figure 2. Spam mail used by the attacker to distribute Excel file

 

The spam mail tells the reader not to reply as it is an automated message and asks to check and open the attached file. There are cases where Remcos RAT malware is directly distributed as an attachment file, but in this case, the attacker used a macro in Excel file to download it.

Figure 3. XLS file attached to the e-mail As shown in the block box, column A is hidden.

 

Figure 4. Text hidden behind image

 

Figure 5. Excel VBA macro code

 

Opening the attached Excel file shows that it is not much different from other malicious Excel macro files. Yet because the macro code from Figure 5 used values from cells A5, A6, and A7, we can assume that the attacker intentionally hid column A (see Figure 3).

The VBA macro code shows that it first uses the hyperlinks function for data in cells A5, A6, and A7. Then to execute the system command, the macro uses the ShellExecute method of the Shell Application (cell A7) object to run the data in cell A5 with “P” + owershell (cell A6 data in reverse order).

Figure 6. Decoded result of cell A5 text

 

Decoding the data of cell A5 which is ultimately executed by using powershell in the VBA code shows the figure above. With the launchbar set as hidden, the macro downloads the js file from hxxp://192.227.158[.]111/fud.js, saves in the %APPDATA% path with the filename of fud.js, and runs the file.

Figure 7. Process tree confirmed upon running js file (AhnLab RAPIT)

 

Figure 8. Result of decoding Encoded binary inside fud.js file

 

The fud.js file can be roughly divided into two parts. The following shows some noticeable traits of the code.

1) Maintain persistence (cmd.exe)
　● Copies the js file in the sub path of %APPDATA%Roaming and registers in the RUN registry.
　● reg_key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\lol
　● reg_value: C:\Users\[user name]\AppData\Roaming\fud.js

2) Load binary (powershell.exe)
　● AMSI (Anti-Malware Scan Interface) Bypass
[Ref].Assembly.GetType(‘System.Management.Automation.AmsiUtils’).GetField(‘amsiInitFailed’,’NonPublic,Static’).SetValue($null,$true)
　● Test-Connection cmdlet
　Performs the connection test to google.com and check if the PC can be connected to a network.
　● Download additional malicious data
　Downloads the string from the external URL (hxxp://vendorcreditglobal[.]online/file/dino.jpg).

Figure 9. Encoded data file disguised as JPG extension (powershell code)

 

Figure 10. Part of decoded powershell code

 

Figure 11. msbuild.exe injection code

 

From the PE signature 4D5A (MZ) shown in the small black box from Figure 10, we can assume that the PE file will be loaded in the future. The PE file is the first object found within the powershell code, which is a dll file packed in the .NET form. The second object is a file with the gzip form, and within gzip, there is Remcos RAT malware.

The function ‘[YESS]::f77df00sd’ found in the last part of Figure 11 injects itself to the normal process MSBuild.exe and loads the first object .NET binary, which allows the second object Remcos RAT malware to be executed.

Remcos used for this attack was found to be the latest version released on June 18th.

Figure 12. Remcos RAT V.3.1.5

 

Figure 13. Packet capture of Remcos RAT C2 (RST)

 

As we can see from the packet capture shown above, RST packets are being received when the malware attempts to connect to the Remcos C2 server. When the server is on, it is likely that the malware will leak data obtained with the keylogger and will perform additional features.

Users should refrain from opening emails from unknown sources and not run or enable macro when downloading attachment files. If the security level of the document program is set to low, macros may run automatically without any notification. Therefore, users should set the security level to high to prevent any unintended features from being run.

Also, users are advised to update the anti-malware engine pattern to its latest version.

AhnLab’s anti-malware product, V3, detects and blocks the malicious types of files introduced in the post using the aliases below.

[File Detection]
Downloader/XLS.Agent
Trojan/Script.Obfuscated
Trojan/PowerShell.Remcos
Infostealer/Win.Agent.C4406797
Trojan/Win.RemcosRAT.R418128

MD5

0006e15486d33e1e6e6a8731e5880612

5f26df061368bc395b87d693afb35990

60a903c61969620e47d53a73834ab687

c140a58ffaf225f718f458f7f3d5fb0c

d2a77c2544cc8621d1aa94712f04b8f2

URL

http[:]//192[.]227[.]158[.]111/fud[.]js

http[:]//vendorcreditglobal[.]online/file/dino[.]jpg

FQDN

twistednerd[.]dvrlists[.]com